Oracle® BPEL Process Manager

Administrator’s Guide 10g (10.1.3.1.0)
Part No. B28982-03

January 2007

Oracle BPEL Process Manager Administrator’s Guide, 10g (10.1.3.1.0) Part No. B28982-03 Copyright © 2006, 2007, Oracle. All rights reserved. Primary Author: Mark Kennedy Contributor: Oracle BPEL Process Manager development, product management, and quality assurance teams The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose. If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065 The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs. Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party.

Contents
Preface ................................................................................................................................................................ vii
Audience...................................................................................................................................................... vii Documentation Accessibility .................................................................................................................... vii Related Documents ................................................................................................................................... viii Conventions ................................................................................................................................................. ix

1

Oracle BPEL Process Manager Security
Security Overview.................................................................................................................................... 1-1 WS-Security......................................................................................................................................... 1-3 Authentication ................................................................................................................................... 1-3 Authorization ..................................................................................................................................... 1-3 Encryption and Decryption .............................................................................................................. 1-4 Secure Socket Layer .......................................................................................................................... 1-4 Digital Signatures for Integrity and Nonrepudiation................................................................... 1-4 BPEL Security Extensions ................................................................................................................. 1-4 Securing BPEL Processes (Inbound)..................................................................................................... 1-5 Using SSL for Certificate-Based Authentication............................................................................ 1-6 Oracle BPEL Process Manager for OracleAS Middle Tier .................................................... 1-6 Step 1: Configuring OC4J ................................................................................................... 1-7 Step 2: Configuring Oracle BPEL Server .......................................................................... 1-7 Oracle BPEL Process Manager for Developers....................................................................... 1-8 Step 1: Configuring OC4J ................................................................................................... 1-8 Step 2: Configuring Oracle BPEL Server .......................................................................... 1-8 Using J2EE Basic Authentication ..................................................................................................... 1-8 Oracle BPEL Process Manager for OracleAS Middle Tier .................................................... 1-9 Oracle BPEL Process Manager for Developers....................................................................... 1-9 Using the Native BPEL Security Extensions ............................................................................... 1-10 Domain and Process Level Security ...................................................................................... 1-11 Java API ..................................................................................................................................... 1-13 HTTP Binding........................................................................................................................... 1-13 SOAP over HTTP Binding ...................................................................................................... 1-13 Invoking Secured Services (Outbound) ........................................................................................... 1-14 Using SSL for Certificate-Based Authentication......................................................................... 1-15 Oracle JDeveloper Design Time............................................................................................. 1-17 Oracle BPEL Server Runtime ................................................................................................. 1-17

iii

HTTP/S with Partner Link Server Certificate Authentication Only......................... HTTP/S with Partner Link Server and Oracle BPEL Server Client Certificate Authentication.................................................................................................................. WS-Security-Compliant Services .................................................................................................. SOAP Binding........................................................................................................................... Configuration .................................................................................................................... Axis Services with Custom Authentication Handlers ............................................................... J2EE Basic Authentication Protected Services (HTTP) .............................................................. HTTP Basic Authentication (10.1.2.0.2) ................................................................................ HTTP Binding (10.1.3) ............................................................................................................. Java and EJB Binding (10.1.3) ........................................................................................................ Oracle BPEL Control and Oracle BPEL Admin Console Users and Roles................................. Example 1: Creating New Users and Groups to Access New BPEL Domains ...................... Example 2: Creating a New User to Access the Default BPEL Domain.................................. Example 3: Creating a New User to Access All BPEL Domains .............................................. Default and Custom Validators .......................................................................................................... Using the Default Validator........................................................................................................... Creating a Custom Validator......................................................................................................... Invoking a Partner Web Service through a Proxy Server .............................................................. Using Oracle Web Services Manager for Authorization, Message Encryption, and Digital Signatures ............................................................................................................................................... Authorization................................................................................................................................... Message Encryption and Decryption ........................................................................................... Digital Signatures............................................................................................................................ Summary .................................................................................................................................................

1-17 1-18 1-18 1-19 1-19 1-20 1-20 1-20 1-21 1-21 1-22 1-23 1-24 1-24 1-25 1-25 1-26 1-28 1-28 1-29 1-29 1-29 1-29

2

Service Configuration
Configuring the Identity Service .......................................................................................................... 2-1 Structure of the Identity Service Configuration File ..................................................................... 2-1 provider Element ........................................................................................................................ 2-2 Multiple Service Providers ................................................................................................. 2-3 Optional Parameters............................................................................................................ 2-4 connection Element..................................................................................................................... 2-4 userControls and roleControls Elements ................................................................................ 2-5 Configuration for the XML-Based JAZN Provider ....................................................................... 2-6 Configuring Identity Service 10.1.3.1.0 with 10.1.2 Oracle Internet Directory.......................... 2-7 Task 1: Perform Preconfiguration Procedures........................................................................ 2-7 Oracle Internet Directory is Associated with an Oracle Application Server Instance ................................................................................................................................................ 2-8 Oracle Internet Directory is Not Associated with an Oracle Application Server Instance.................................................................................................................................. 2-9 Task 2: Perform Configuration Procedures.......................................................................... 2-10 Step 3: Test the Oracle Internet Directory Configuration .................................................. 2-13 Task 4: Configure the Middle Tier to use the LDAP-based JAZN provider with Secure Socket Layer (SSL) .................................................................................................................. 2-13 Troubleshooting ....................................................................................................................... 2-13 Reverting from Oracle Internet Directory to the XML-Based JAZN Provider ............... 2-14

iv

Configuration for a Third-Party LDAP Server ........................................................................... Configuration for Custom Identity Repository Plug-ins .......................................................... Setting Up Group Ownership ....................................................................................................... Defining Group Ownership for JAZN XML-Based Providers .......................................... Defining Group Ownership for JAZN Oracle Internet Directory-Based and LDAP-Based Providers .......................................................................................................... Configuring the Notification Services .............................................................................................. Configuring the E-mail Server ...................................................................................................... Example ns_emails.xml File ................................................................................................... Configuring the Wireless Provider for Voice.............................................................................. Example ns_iaswconfig.xml File ........................................................................................... Configuring the Wireless Provider for SMS................................................................................ Configuring the Wireless Provider for Fax ................................................................................. Configuring the Fax Cover Page............................................................................................ Configuring the Wireless Provider for Pager ............................................................................. Configuring the Pluggable Notification Service......................................................................... Pluggable Notification Service Implementation ................................................................. Pluggable Notification Service Registration ........................................................................ Configuring the Workflow Service.................................................................................................... taskAutoReleaseConfigurations ................................................................................................... worklistApplicationURL................................................................................................................ actionableEmailAccountName...................................................................................................... pushbackAssignee........................................................................................................................... assigneeDelimiter ............................................................................................................................ shortHistoryActions........................................................................................................................ workflowServiceSessionTimeoutInMinutes ............................................................................... user:ruleRepositoryInfo ................................................................................................................. Integrating Oracle BPEL Process Manager with the Oracle Application Server Service Registry................................................................................................................................................... Task 1: Installing the Oracle Application Server SOA Suite and OracleAS Service Registry ............................................................................................................................................ Task 2: Deploying Web Services ................................................................................................... Task 3: Publishing a Service and Adding Bindings ................................................................... Task 4: Specifying the Registry Service Inquiry URL in Oracle BPEL Control...................... Task 5: Creating a Connection to the UDDI Registry ................................................................ Task 6: Configuring the RapidDistributors Partner Link.......................................................... Task 7: Specifying the OracleAS Service Registry Service Key ................................................ Task 8: Securing the Client with Basic Authentication (Optional) .......................................... Troubleshooting .............................................................................................................................. Summary .................................................................................................................................................

2-15 2-19 2-19 2-19 2-20 2-20 2-20 2-22 2-23 2-23 2-24 2-24 2-24 2-24 2-24 2-24 2-25 2-26 2-27 2-27 2-27 2-27 2-28 2-28 2-29 2-29 2-30 2-31 2-34 2-35 2-36 2-37 2-37 2-38 2-38 2-39 2-39

3

Creating a Custom Identity Service Plug-in
Creating a Custom Identity Service Plug-in ....................................................................................... Description of Oracle BPEL Process Manager Interfaces ............................................................. Implementing the Identity Service Plug-in .................................................................................... Specifying the Service Factory Methods......................................................................................... Specifying the Provider Configuration ........................................................................................... 3-1 3-1 3-2 3-4 3-5

v

Implementing the BPMProvider Interface .................................................................................... Deploying the Identity Service Plug-in........................................................................................... Registering and Configuring the Identity Service for the Custom Plug-in ............................... Creating Users and Groups .............................................................................................................. Summary ....................................................................................................................................................

3-5 3-6 3-6 3-7 3-7

4

Configuring and Viewing BPEL Process Logs
Logging Overview.................................................................................................................................... Domain Level Logging ............................................................................................................................ System Level Logging ............................................................................................................................. System and Domain Level Logging Examples ................................................................................... Example 1: Process Invokes an External Web Service .................................................................. Example 2: Java Class Invoked through WSIF Binding ............................................................... Example 3: Process Invokes an Asynchronous Service ................................................................ Example 4: Process Sends a Notification ........................................................................................ Logging with Sensors .............................................................................................................................. Logging with bpelx:exec in a Java Embedding Activity................................................................... Summary .................................................................................................................................................... 4-1 4-2 4-5 4-6 4-6 4-6 4-6 4-6 4-7 4-7 4-7

A

Demo User Community
Setting Up JAZN Demo Users .............................................................................................................. Demo Users and Roles...................................................................................................................... Using the Demo User Community in the Order Booking Tutorial ........................................... Summary ................................................................................................................................................... A-1 A-1 A-6 A-6

Index

vi

Preface This manual describes how to administer Oracle BPEL Process Manager. some screen readers may not always read a line of text that consists solely of a bracket or brace. For more information. To that end. services. and supporting documentation accessible.1. with good usability. This documentation is available in HTML format. This preface contains the following topics: ■ ■ ■ ■ Audience Documentation Accessibility Related Documents Conventions Audience This manual is intended for anyone who is interested in administering Oracle BPEL Process Manager. our documentation includes features that make information available to users of assistive technology.2 has been moved to the Oracle Application Server Performance Guide for release 10. The conventions for writing code require that closing braces should appear on an otherwise empty line. visit the Oracle Accessibility Program Web site at http://www.0.2.oracle. vii .com/accessibility/ Accessibility of Code Examples in Documentation Screen readers may not always correctly read the code examples in this document. and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. and contains markup to facilitate access by the disabled community. to the disabled community. Documentation Accessibility Our goal is to make Oracle products. Note: The chapter on Oracle BPEL Process Manager performance tuning that appeared in this guide for 10.1. however.0.1. Accessibility standards will continue to evolve over time.3.

w3.oracle. registration is free and can be done at http://www.org/TR/wsdl viii .w3. then you can go directly to the documentation section of the OTN Web site at http://www. or other collateral. installation documentation.com/technology/membership/ To download Oracle BPEL Process Manager documentation. FTP.Accessibility of Links to External Web Sites in Documentation This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. TTY Access to Oracle Support Services Oracle provides dedicated Text Telephone (TTY) access to Oracle Support Services within the United States of America 24 hours a day. Databases.com/technology/documentation/ See the Business Process Execution Language for Web Services Specification. call 800. available at the following URL: http://msdn. and Enterprise Messaging User’s Guide Oracle Application Server Adapter Concepts Oracle Application Server Adapter for Oracle Applications User’s Guide ■ ■ ■ ■ ■ ■ Printed documentation is available for sale in the Oracle Store at http://oraclestore. Related Documents For more information.com/technology/bpel/ If you already have a username and password for OTN.asp See the XML Path Language (XPath) Specification. visit the Oracle BPEL Process Manager site at Oracle Technology Network (OTN): http://www. technical notes. white papers.oracle.446.oracle.com/ To download free release notes. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites. seven days a week. You must register online before using OTN. visit the Oracle Technology Network (OTN).2398. For TTY support.asp?url=/library/en-us /dnbizspec/html/bpel1-1.microsoft. available at the following URL: http://www.org/TR/1999/REC-xpath-19991116 See the Web Services Description Language (WSDL) 1. available at the following URL: http://www.com/library/default. see the following Oracle resources: ■ Oracle Application Server Performance Guide for Oracle BPEL Process Manager tuning and performance information Oracle BPEL Process Manager Quick Start Guide Oracle BPEL Process Manager Order Booking Tutorial Oracle BPEL Process Manager Developer’s Guide Oracle Adapters for Files. or other collateral.1 Specification.oracle.

Monospace type indicates commands within a paragraph. text that appears on the screen. Italic type indicates book titles. or terms defined in text or the glossary. or text that you enter.Conventions The following text conventions are used in this document: Convention boldface italic monospace Meaning Boldface type indicates graphical user interface elements associated with an action. URLs. ix . emphasis. code in examples. or placeholder variables for which you supply particular values.

x .

The following transport security and authentication methods are available: – – – SSL (HTTP/S) WS-Security-compliant services Axis services Oracle BPEL Process Manager Security 1-1 . Preventing unauthorized users from breaking into your system is required to protect both the integrity of your processes and the personal information of your customers. This chapter describes the methods available for securing BPEL processes and invoking secured Web services with Oracle BPEL Process Manager. Message Encryption. The following transport security and authentication methods are available: – – – SSL (HTTP/S) J2EE basic authentication (HTTP) BPEL security extensions ■ Invoking secured services in which interaction is initiated by an outbound client request sent from Oracle BPEL Server to the server on which the partner link Web service is running.1 Oracle BPEL Process Manager Security It is critical to control access to BPEL processes and to the Web services they use. This chapter contains the following topics: ■ ■ ■ ■ ■ ■ ■ Security Overview Securing BPEL Processes (Inbound) Invoking Secured Services (Outbound) Oracle BPEL Control and Oracle BPEL Admin Console Users and Roles Default and Custom Validators Invoking a Partner Web Service through a Proxy Server Using Oracle Web Services Manager for Authorization. and Digital Signatures Summary ■ Security Overview Security in Oracle BPEL Process Manager is implemented as follows: ■ Securing a BPEL process in which interaction is initiated by an inbound client service request sent to Oracle BPEL Server.

Security Overview – – J2EE basic authentication (HTTP) Java and Enterprise Java Bean (EJB) binding Figure 1–1 provides an overview of these transport security and authentication methods available for securing BPEL processes (inbound) and invoking secured services (outbound): Figure 1–1 Inbound and Outbound Transport Security and Authentication Methods Inbound client service request SSL (HTTP/S)* J2EE Basic Authentication (HTTP)* BPEL Security Extensions Securing BPEL Processes: Transport Security and Authentication Methods Firewall Oracle Application Server OC4J Oracle BPEL Process Manager Domain / Process Level Security Java API HTTP Binding SOAP over HTTP Binding WSIF Layer SSL (HTTP/S) WS-Security Compliant Services (SOAP Binding) Axis Services J2EE Basic Authentication (HTTP) Java and EJB Binding Invoking Secured Processes: Transport Security and Authentication Methods Firewall Outbound Oracle BPEL Server client request Server on which partner link web service is running * With the Oracle BPEL Process Manager for OracleAS Middle Tier installation type. 1-2 Oracle BPEL Process Manager Administrator’s Guide . inbound client service requests that use SSL transport security and J2EE basic authentication are verified by OC4J. inbound client service requests that use SSL transport security and J2EE basic authentication are verified by Oracle Application Server. With the Oracle BPEL Process Manager for Developers installation type.

Oracle Web Services Manager can instead be used to provide this capability. within the SOAP message headers. XML encryption – Used for message confidentiality. source and origin validation. as well as X. These security levels are as follows: ■ Authentication tokens – Used for passing user name and password information. See Also: ■ ■ ■ ■ "WS-Security-Compliant Services" on page 1-18 Web Services Security (WS-Security) Specifications available at the following URL: http://www. Oracle BPEL Process Manager has no current native support for inbound authorization.php?wg_ abbrev=wss Authentication Authentication is the process of proving the identity of a user. Oracle BPEL Process Manager supports basic authentication (HTTP).509 certificates.org/committees/tc_home. certificate-based authentication (HTTP/S).Security Overview This section provides an overview of the following security features in the context of Oracle BPEL Process Manager. XML digital signatures – Used for message integrity. and nonrepudiation.oasis-open. See Also: ■ The following sections: "Securing BPEL Processes (Inbound)" on page 1-5 for instructions on securing a BPEL process "Invoking Secured Services (Outbound)" on page 1-14 for instructions on invoking secured services from BPEL ■ Authorization Authorization is the evaluation of security constraints to send a message or make a request. References are also provided to sections that describe these features in more detail: ■ ■ ■ ■ ■ ■ ■ WS-Security Authentication Authorization Encryption and Decryption Secure Socket Layer Digital Signatures for Integrity and Nonrepudiation BPEL Security Extensions WS-Security WS-Security provides a mechanism for adding three levels of security to simple object access protocol (SOAP) messages. and native BPEL security extension authentication. The criteria are authentication and restriction. Authorization uses specific criteria to determine whether to permit the request. See Also: "Authorization" on page 1-29 Oracle BPEL Process Manager Security 1-3 .

See Also: "Digital Signatures" on page 1-29 BPEL Security Extensions BPEL security extensions are fully integrated into Oracle BPEL Process Manager. Java API. the same security constraints apply. SSL uses digital signatures to prevent data from being compromised.Security Overview Encryption and Decryption Encryption is the practice of encoding (encrypting) data in such a way that only an intended recipient can decode (decrypt) and read the data. See Also: "Message Encryption and Decryption" on page 1-29 Secure Socket Layer Secure Socket Layer (SSL) is a standard for the secure transmission of documents over the Internet using HTTP/S (secure HTTP). These extensions are technical and require a good understanding of Oracle BPEL Server. Oracle BPEL Process Manager has no current native support for XML encryption. the way credentials are passed differs amongst channels. Oracle Web Services Manager can instead be used to provide this capability. and so on). Oracle BPEL Process Manager’s API includes BPEL security extensions that enable developers to create custom security. SOAP. There are also many references to the Oracle BPEL Java API. SOAP and HTTP). so a good knowledge of Java is required. including the various technologies used for invoking processes (for example. Oracle BPEL Process Manager has no current native support for digital signatures. Regardless of which channel you use to invoke a process (such as HTTP. Oracle Web Services Manager can instead be used to provide digital signatures and signature verification capabilities. 1-4 Oracle BPEL Process Manager Administrator’s Guide . However. This is necessary in secure environments where users must be authenticated and authorized to use certain BPEL processes. and verifies that the document has not been compromised. See Also: ■ "Using SSL for Certificate-Based Authentication" on page 1-6 for details about using SSL to secure BPEL processes "Using SSL for Certificate-Based Authentication" on page 1-15 for details about using SSL to invoke secured services ■ Digital Signatures for Integrity and Nonrepudiation A digital signature is a code attached to an electronic document that reliably identifies the author or sender. BPEL security extensions are intended for BPEL developers who want to enhance the security of Oracle BPEL Process Manager.

Oracle BPEL Process Manager Security 1-5 . inbound client service requests that use SSL transport security and J2EE basic authentication are verified by Oracle Application Server. which is also located in SOA_Oracle_Home\bpel\docs\apidocs Securing BPEL Processes (Inbound) You can secure a BPEL process in which interaction is initiated by an inbound client service request sent to Oracle BPEL Server. Figure 1–2 Securing BPEL Processes (Inbound) Inbound client service request SSL (HTTP/S)* J2EE Basic Authentication (HTTP)* BPEL Security Extensions Securing BPEL Processes: Transport Security and Authentication Methods Firewall Certificate-based authentication with Oracle Wallet Manager Oracle Application Server OC4J Oracle BPEL Process Manager Domain / Process Level Security Java API HTTP Binding SOAP over HTTP Binding Certificate-based authentication with keytool * With the Oracle BPEL Process Manager for OracleAS Middle Tier installation type. inbound client service requests that use SSL transport security and J2EE basic authentication are verified by OC4J.3)" on page 1-21 "Default and Custom Validators" on page 1-25 Oracle BPEL Process Manager Workflow Services API Reference. Figure 1–2 provides a high-level overview of the transport security and authentication methods available for securing BPEL processes (inbound). With the Oracle BPEL Process Manager for Developers installation type.Securing BPEL Processes (Inbound) See Also: ■ ■ ■ ■ ■ ■ ■ ■ "Using the Native BPEL Security Extensions" on page 1-10 "Domain and Process Level Security" on page 1-11 "Java API" on page 1-13 "HTTP Binding" on page 1-13 "SOAP over HTTP Binding" on page 1-13 "Java and EJB Binding (10.1.

Server and client certificate authentication is not as frequently used. A successful SSL handshake confirms authentication. Using SSL for Certificate-Based Authentication BPEL processes are usually invoked using SOAP over HTTP. The type of server presenting the certificate is based upon the Oracle BPEL Process Manager installation type you are using: – – For Oracle BPEL Process Manager for OracleAS Middle Tier.Securing BPEL Processes (Inbound) This section describes how to provide BPEL process security through the following methods: ■ ■ ■ Using SSL for Certificate-Based Authentication Using J2EE Basic Authentication Using the Native BPEL Security Extensions Note: Oracle recommends that you create an environment in which one or more instances of a server are dedicated to secure business processes and other instances are set up to host nonsecure processes. This is called client authentication mode. both the client and server exchange certificates and a successful SSL handshake confirms authentication. the server is the standalone OC4J in which Oracle BPEL Process Manager is deployed. While basic authentication ensures that only authenticated users access BPEL processes. Therefore. The following types of certification authentication can be used: ■ Server certificate authentication In this scenario. In the context of securing BPEL processes. The following sections describe the SSL configuration method to use based on the Oracle BPEL Process Manager installation type you are using: ■ ■ Oracle BPEL Process Manager for OracleAS Middle Tier Oracle BPEL Process Manager for Developers Oracle BPEL Process Manager for OracleAS Middle Tier SSL configuration for Oracle BPEL Process Manager for OracleAS Middle Tier is a two-step process: 1-6 Oracle BPEL Process Manager Administrator’s Guide . the client asks the server for the certificate and authenticates the trustworthiness of the server. the server is Oracle Application Server (and its version of OC4J) For Oracle BPEL Process Manager for Developers. If you use HTTP/S as the authentication schema. this means that a client invoking a service presents a valid certificate issued by a mutually-trusted certificate authority. ■ Server and client certificate authentication In this scenario. the need exists for securing the network connection through use of HTTP/S instead of HTTP. both the client and server can be configured to exchange certificates. The server (either the standalone OC4J in which Oracle BPEL Process Manager is deployed or Oracle Application Server (and its version of OC4J)) must be configured to request the client's certificate during the SSL handshake and authenticate the trustworthiness of the client. The client does not present its certificate unless it is requested by the server to do so. user names and password are prone to identification by network packet sniffers.

Restart Oracle BPEL Server. http://localhost:port/BPELAdmin 2. including private keys. certificates.Securing BPEL Processes (Inbound) ■ ■ Step 1: Configuring OC4J Step 2: Configuring Oracle BPEL Server Step 1: Configuring OC4J Use Oracle Wallet Manager to enable certificate-based authentication with the Oracle BPEL Process Manager for OracleAS Middle Tier installation type. Log in to Oracle BPEL Admin Console. Set the following two parameters under the Configuration tab: Description The BPEL SOAP server endpoint URL of a process The BPEL SOAP callback URL of a process Example http://hostname:port http://hostname:port Parameter soapServerUrl soapCallbackUrl 4. 3. Processes deployed into Oracle BPEL Process Manager are now securely hosted at the new HTTP/S endpoint. See Also: ■ ■ Oracle Application Server Administrator’s Guide for the following SSL configuration details: Setting up a wallet and using Oracle Wallet Manager Obtaining a certificate from a certificate authority Step 2: Configuring Oracle BPEL Server Oracle BPEL Server must be configured with the SOAP server URL and SOAP callback URL.jar directories under SOA_Oracle_ Home\bpel\domains\domain_name\tmp. all of which are used by SSL for strong authentication.bpel_ TaskActionHandler_1. A wallet is a password-protected container that stores authentication and signing credentials. and trusted certificates. Oracle BPEL Process Manager Security 1-7 . Delete the default . This recreates the correct service bindings and WSDL files for the TaskManager and TaskActionHandler processes and makes them available from HTTP/S-based endpoints. obtain a certificate from a certificate authority.0.0. 5. Instead. 1. (See Figure 1–2 on page 1-5. This certificate must contain the proper server host name in the CN entry. The default certificate does not use the proper server host name.) Oracle Wallet Manager is an application for managing and editing security credentials in Oracle wallets. where domain_name is the name of the domain in which the BPEL process to secure is located.jar and .bpel_TaskManager_1. Note: Do not use the default certificate included with Oracle Wallet (named test). Enter the oc4jadmin username and password.

See the Oracle Containers for J2EE Security Guide for the following SSL configuration instructions: ■ Using keytool to enable certificate-based authentication. Using J2EE Basic Authentication J2EE basic authentication involves authentication through unsigned tokens. This is accomplished by shutting down and restarting Oracle BPEL Server. Table 1–1 J2EE Basic Authentication Supported Features Service Access Protocols HTTP only User Repository Oracle Application Server JAZN repository types: ■ ■ ■ Authentication Schemas Basic authentication (user name and password) Customization Permitted JAAS custom authorization plug-in Granularity Individual process level security OID JAZN XML JAAS custom plug-in 1-8 Oracle BPEL Process Manager Administrator’s Guide . This tool generates a keystore and a self-signed certificate. namely a user name and password. Configuring OC4J to use SSL. ■ Step 2: Configuring Oracle BPEL Server The steps to configure Oracle BPEL Server for the Oracle BPEL Process Manager for Developers installation type are the same as with the Oracle BPEL Process Manager for OracleAS Middle Tier installation type. Notes: ■ ■ Ensure that you shut down and restart OC4J after configuring SSL. See "Step 2: Configuring Oracle BPEL Server" on page 1-7 for instructions on configuring Oracle BPEL Server.Securing BPEL Processes (Inbound) Oracle BPEL Process Manager for Developers SSL configuration for Oracle BPEL Process Manager for Developers is a two-step process: ■ ■ Step 1: Configuring OC4J Step 2: Configuring Oracle BPEL Server Step 1: Configuring OC4J 1. Access to a keystore is guarded by a password. A keystore is a protected database that holds keys and certificates for an enterprise. OC4J listens for SSL requests on one port and non-SSL requests on another. Table 1–1 describes the supported features of this method. Instead of a self–signed certificate for production environments. use a certificate from a trusted certificate authority like Verisign/Thawte by submitting a certificate request generated by keytool. When complete. The password is defined at the time the keystore is created by the user who creates the keystore. and is changeable only when providing the current password.

) The following steps describe this process. for users in JAZN XML. . . If the user name and password are authenticated. configure a new user and role in SOA_ Oracle_ Home\bpel\system\appserver\oc4j\j2ee\home\config\system-jazndata. . . 1. Oracle HTTP Server receives a service request. 3. 1. 2. (See Figure 1–2 on page 1-5. See Also: Oracle Containers for J2EE Security Guide for configuration instructions Oracle BPEL Process Manager for Developers J2EE basic authentication with the Oracle BPEL Process Manager for Developers installation type involves delegating authentication to the OC4J in which Oracle BPEL Process Manager is deployed. Oracle HTTP Server forwards the request to OC4J.Securing BPEL Processes (Inbound) The following sections describe the configuration method to use based on the Oracle BPEL Process Manager installation type: ■ ■ Oracle BPEL Process Manager for OracleAS Middle Tier Oracle BPEL Process Manager for Developers Oracle BPEL Process Manager for OracleAS Middle Tier J2EE basic authentication with the Oracle BPEL Process Manager for OracleAS Middle Tier installation type involves delegating authentication to Oracle Application Server. the request is sent to Oracle BPEL Server for servicing.xml as follows: <user> <name>jsmith</name> <credentials>{903}9XRK6pyPRTVYN7bW5dkG1Z06C2pkBRW6</credentials> </user> .) The following steps describe this process. <role> <name>jsmithrole</name> <members> <member> <type>user</type> <name>jsmith</name> </member> </members> </role> Oracle BPEL Process Manager Security 1-9 . . OC4J validates the user name and password received in the HTTP headers against the configured identity service user repository: ■ ■ Oracle Internet Directory (OID) Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider (JAZN) XML Custom JAAS plug-in ■ 4. (See Figure 1–2 on page 1-5. Set up new users and roles in the JAZN repository: For example.

Oracle BPEL Server services the request. Oracle HTTP Server forwards the request. 2. Configure the SOA_Oracle_ Home\bpel\system\appserver\oc4j\j2ee\home\applications\orabpe l_ear\META-INF\orion-application. JAAS principals and realms) to logical J2EE groups and users by adding the following sections: <security-role-mapping name="jsmithrole"> <group name=" jsmithrole" /> </security-role-mapping> 3. Oracle HTTP Server receives a service request. (See Figure 1–2 on page 1-5.0</url-pattern> </web-resource-collection> <auth-constraint> <role-name>jsmithrole</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>jazn. 1-10 Oracle BPEL Process Manager Administrator’s Guide . Table 1–2 describes the supported features of this method. The BPEL security extension code of Oracle BPEL Process Manager validates the message received against the configured identity service user repository: ■ ■ ■ OID JAZN XML Custom JAAS plug-in 4.Securing BPEL Processes (Inbound) 2. A code segment from web.</description> <url-pattern>*/orabpel/default/HelloWorld/1.) The following steps describe this process.com</realm-name> </login-config> <security-role> <description>BPEL PM User</description> <role-name>jsmithrole</role-name> </security-role> Using the Native BPEL Security Extensions Native BPEL security extensions code can also handle authentication. If the user name and password are authenticated.xml file to protect the BPEL service endpoint URLs.0) is as follows: <security-constraint> <web-resource-collection> <web-resource-name>Default Domain Pages</web-resource-name> <description>These pages are only accessible by authenticated users.xml file. part of which is intercepted by Oracle BPEL Process Manager. Configure the SOA_Oracle_ Home\bpel\system\appserver\oc4j\j2ee\home\applications\orabpe l_ear\startup_war\WEB-INF\web.0</url-pattern> <url-pattern>*/orabpel/default/HelloSecureWorld/1. 3.xml protecting an endpoint URL http://localhost/orabpel/default/HelloWorld/1. Map the physical security roles maintained in OC4J (for example. 1.

The security interceptor provides two levels of security: ■ Domain level security If only this level is set. ■ Process level security If this level is also set. service1 with username1/passwo rd1 and service2 with username2/passwo rd2) Supports domain level protection and all services in that domain with one user name and password Normalized message properties ■ ■ Java API Remote method invocation (RMI) WS-Security (in accordance with the WS-Security Web Services Security Specification) SOAP This section contains the following topics: ■ ■ ■ ■ Domain and Process Level Security Java API HTTP Binding SOAP over HTTP Binding Domain and Process Level Security Within Oracle BPEL Server.Securing BPEL Processes (Inbound) Table 1–2 Native BPEL Security Extensions Supported Features Service Access Protocols HTTP User Repository Oracle Application Server JAZN repository types: ■ ■ ■ Authentication Schemas Basic authentication (user name and password) Customization Permitted Granularity Custom user repository using the custom validator class See Also: "Creating a Custom Validator" on page 1-26 ■ Fine grained: ■ OID JAZN XML Database-based repository Custom ■ Individual process level security (for example. Oracle BPEL Process Manager Security 1-11 . and not the framework itself. One of these plug-in handlers is the security interceptor. a message handler framework is used to control and modify inbound (calls to Oracle BPEL Server) and outbound (calls from Oracle BPEL Server) message flows. and which not to secure. in a specific domain. enables you to specify which processes to secure. Note: The following section only explains the configuration of the security interceptor. enables you to secure all processes running in a specific domain.

security. 1.collaxa. For example: <value>CreditRatingService. If you also want to enable security at the process level. If you want to enable domain level security.Securing BPEL Processes (Inbound) By default.validator. domain and process security is not enabled. both security levels can be easily enabled by modifying the SOA_Oracle_ Home\bpel\domains\domain_name\config\message-handlers. remove the comment markers shown in bold from around the SecuredProcesses attribute in the same file.oracle. HelloWorldService</value> 1-12 Oracle BPEL Process Manager Administrator’s Guide . However.uncomment for inbound security <message-handler id="security" /> --> </inbound-flow> This enables the security chain: <message-handler id="security"> <classname>com. put their names in here and comma separate them </comment> </property> --> </message-handler> 2.Authenticator</classname> <comment> <![CDATA[This is the handler for security interception]]> </comment> <property id="ACLManager"> <value>com.bpel. put their names in here and comma separate them</comment> </property> --> </message-handler> 3. BPMIdentityValidator</value> <comment>BPMIdentityValidator uses the server configured security such as JAAS to validate the user against</comment> </property> <!-<property id="SecuredProcesses"> <value>CreditRatingService</value> <comment>Processes can be secured explicitely without having effect on the whole domain. The section contains a value element that consists of a comma-separated list of process names: <!-<property id="SecuredProcesses"> <value>CreditRatingService</value> <comment>Processes can be secured explicitely without having effect on the whole domain. Specify the processes to secure in the value element of the SecuredProcesses section. the domain is named default): <inbound-flow> <message-handler id="default" /> <!-.security.bpmid.cube.xml file. remove the comment markers shown in bold from around the security attribute (for this example.

For example: <wsse:Security soapenv:actor="http://schemas. the normalized message (com. value)) added: secured = username username = password where username equals the user name that is sent.client.oasis-open. in this case.0.org/wss/2004/01/oasis-200401wss-wssecurity-secext-1. and the second pair consists of the username and the desired credential. there are multiple ways of specifying the credentials: ■ As HTTP request parameters: <input type="hidden" name="bpelUser" value="clemens"> <input type="hidden" name="bpelCredential" value="clemens"> ■ As basic authentication HTTP headers (base64-encoded): Authentication=BASIC <BASE64-HASH> ■ As normal name-value HTTP header pairs. where the key for the user is bpelUser and the key for the password is bpelCredential SOAP over HTTP Binding When using SOAP binding. Restart Oracle BPEL Server. 4. add only the first pair: secured = Clemens HTTP Binding When you use direct HTTP binding to invoke a process.org/soap/envelope/"> <wsse:UsernameToken xmlns:wsu="http://docs. use the DeliveryService.org/wss/2004/01/oasis-200401- Oracle BPEL Process Manager Security 1-13 .NormalizedMessage) needs the following properties (through NormalizedMessage:setProperty(key.xsd" xmlns:soapenv="http://schemas.bpel. However.oracle.oasis-open.org/soap/actor/next" soapenv:mustUnderstand="1" xmlns:wsse="http://docs. This enables the default validator bridge to be used for authentication and authorization. For example: secured = Clemens Clemens = pwForClemens Note: You can also send an empty password.xmlsoap.Securing BPEL Processes (Inbound) Any other processes in this domain that are not specified in the value element are not secured. See Also: "Using the Default Validator" on page 1-25 for information about the validator bridge Java API For invocation of a process.xmlsoap. the only currently supported method for passing a user name credential is as a WS-Security compliant SOAP header.

the class com.xsd"><wsse:Username>Clemens </wsse:Username><wsse:Password Type= "http://docs.client.0.oracle.util. To create a WSSE header element with the new namespace.xmlsoap.oasis-open. String pCredential) Note that createWSSecurityHeader represents the older Java standard.WSSecurityUtils can generate a header element of the namespace.SOAPException in case the element cannot be constructed * @return the headerElement needed for the header of the call * @param pCredential the credential * @param pUsername the username */ public static SOAPHeaderElement createWSSecurityHeader (String pUsername. For example: /** * Create a WSSecurity compliant token from username and password UsernameToken!! * @throws javax. use this method located in the WSSecurityUtils class: public static SOAPHeaderElement createOASISWSSecurityHeader (String pUsername.soap. String pCredential. boolean pIsWSPolicyCompliant) throws SOAPException { Invoking Secured Services (Outbound) You can invoke secured services in which interaction is initiated by an outbound client request sent from Oracle BPEL Server to the server on which the partner link Web service is running.org/wss/2004/01/oasis-200401wss-username-token-profile-1. The configuration procedures for invoking secured services are the same for either Oracle BPEL Process Manager installation type: ■ ■ Oracle BPEL Process Manager for Developers Oracle BPEL Process Manager for OracleAS Middle Tier Figure 1–3 provides an overview of the transport security and authentication methods available for invoking secured services (outbound): 1-14 Oracle BPEL Process Manager Administrator’s Guide .xml.org/ws/2002/07/secext namespace.Invoking Secured Services (Outbound) wss-wssecurity-utility-1.bpel. you must apply the new namespace or else it defaults to the http://schemas.0#PasswordText">pwForClemens </wsse:Password> </wsse:UsernameToken> </wsse:Security> When using Java to call a service endpoint through SOAP. Since the change to the WS-Security standard in 2004.

is required to verify the trustworthiness of the partner link (server authentication). You can invoke services from Oracle BPEL Process Manager that have a SOAP or HTTP binding. the WSDL of that service contains the information in the service binding. the default SunJSEE functionality is used by Oracle BPEL Process Manager and the Oracle BPEL Process Manager Security 1-15 . Verifying the certificate presented by the partner link server satisfies this requirement. (See Figure 1–3 on page 1-15. Oracle BPEL Process Manager support for SSL is Java Secure Socket Extension (JSSE)-standards based and relies on the default SunJSSE provider for cryptographic services.3) Using SSL for Certificate-Based Authentication If a partner exposes an HTTP/S-based service. which acts as a client to the secured service of the partner link server. Oracle BPEL Process Manager relies on standard JSSE keytool and JSSE mechanisms.) The following types of certification authentication can be used: ■ Server certificate authentication During the SSL handshake process. Oracle BPEL Process Manager. For configuring the keystore and truststore.Invoking Secured Services (Outbound) Figure 1–3 Invoking Secured Services (Outbound) Oracle Application Server OC4J Oracle BPEL Process Manager (Client) WSIF Layer SSL (HTTP/S) Certificate-based authentication with keytool WS-Security Compliant Services (SOAP Binding) Axis Services J2EE Basic Authentication (HTTP) Java and EJB Binding Invoking Secured Processes: Transport Security and Authentication Methods Firewall Outbound Oracle BPEL Server client request Server on which partner link web service is running This section contains the following topics: ■ ■ ■ ■ ■ Using SSL for Certificate-Based Authentication WS-Security-Compliant Services Axis Services with Custom Authentication Handlers J2EE Basic Authentication Protected Services (HTTP) Java and EJB Binding (10.1. To do this.

If jssecacerts is not present. If the partner link server uses a self-signed certificate. This is different from the keystore. you must also set up a certificate for Oracle BPEL Process Manager. The keytool can be used to save that certificate and keys in the keystore and truststore.html for details about SSL. ■ Server and client certificate authentication During the handshaking process. If the partner link server presents a certificate chain. creating keystores and truststores to use with JSSE. This requirement is not in wide practice. This tool is useful for performing operations such as the following: ■ ■ ■ Creating new keystores and truststores Reading and listing information present in the stores Updating and deleting existing entries in keystores and truststore Notes: ■ Do not use Oracle Wallet Manager to create a security certificate for communication between the client Oracle BPEL Server and the server on which the partner link Web service is running. in which private and public key entries are present. html#security for details about using keytool Oracle Containers for J2EE Security Guide for details about using keytool ■ ■ ■ 1-16 Oracle BPEL Process Manager Administrator’s Guide . and debugging and troubleshooting issues http://java. Note that it is not possible to know from the WSDL of the service if the partner link service requires this. This is because Oracle BPEL Server is the client in this type of interaction.sun. No Oracle BPEL Server configuration is required when invoking secured services. Oracle BPEL Process Manager) present its certificate for verification.sun.2/docs/tooldocs/tools. Keystore and truststore files are created and managed with JDK’s keytool. such as understanding how SSL works. For these situations. It is beneficial to set up a truststore in which trusted certificate entries are placed. This is called client authentication mode.4. a partner link server can sometimes require that the client (in this scenario. then the root certificate of that chain must be part of the truststore. this certificate must be placed as a trusted entry in the truststore. The certificate can be self-signed or provided by a certificate authority. cacerts also serves as the truststore.Invoking Secured Services (Outbound) truststore used in the process must contain the appropriate certificate entries. The default keystore and truststore files located in the jre\lib\security directory for your JDK installation are used: ■ ■ The cacerts file is the default keystore The jssecacerts file (if present) is the truststore file.sun.com/j2se/1. ■ See Also: ■ http://java.4.com/products/jsse/ for JSSE details http://java.com/j2se/1.2/docs/guide/security/ jsse/JSSERefGuide.

You can use the base64-encoded format. Ensure that the correct keystore is used by OC4J and Oracle BPEL Process Manager: If your keystore is the default cacerts file keystore located in SOA_Oracle_ Home\jdk\jre\lib\security directory. If the default truststore and keystore are the same.* file for your operating system.net.keyStorePassword=your_keystore_password Note: While you can also edit the startorabpel. If you do not want to store the server certificate of the partner link server. Oracle BPEL Process Manager Security 1-17 . You can use keytool to help with this process.sh for UNIX installations) to include the following lines: –Djavax. If not. then edit obsetenv. a. Enter yes because you trust this server certificate. After the page is loaded on Internet Explorer. After connecting to the server. c. Click the lock to display a window that provides details about the certificate.ssl.Invoking Secured Services (Outbound) Oracle JDeveloper Design Time To access secured WSDLs. 2.bat file (or startorabpel.keyStore=path_to_your_certificate_store -Djavax.ssl. a pop-up window displays the following message (if you have not already updated your browser's store with this certificate): Security Alert: Do you trust this certificate or not? b.sh file for UNIX installations) to include these lines. Use that file to import the server certificate to your default truststore. a lock displays in the status bar in the bottom right corner of your browser window. Oracle JDeveloper must be configured at design time just like Oracle BPEL Server. f. Oracle recommends that you instead edit the obsetenv.cer). HTTP/S with Partner Link Server Certificate Authentication Only Follow these steps to configure Oracle BPEL Process Manager for this environment: 1. e. d. Click the Details tab and copy the certificate to a file (for example. you can ensure that a mutually-trusted root and certificate authority certificate is in your truststore or keystore.cer -keypass keystore_password -keystore cacerts g. Ensure that the keystore is configured appropriately to invoke the mutually-trusted certificate or the server certificate of the partner link. Oracle BPEL Server Runtime This section describes how to configure HTTP/S with the partner link Web service server and the Oracle BPEL Server client side certificates.net.bat (or obsetenv. the command to import this certificate into the default cacerts keystore is as follows: SOA_Oracle_Home\jdk\bin\keytool -import -v -file TestServiceServerCert. named TestServiceServerCert. no changes are required. Connect through the Web browser to the endpoint URL of the service to invoke.

Set up OC4J to use SSL.ssl. ■ credentials Passes credentials from the descriptor wsseUsername wssePassword The user name for the token (required) The password for the token (optional) Takes effect immediately Takes effect immediately 1-18 Oracle BPEL Process Manager Administrator’s Guide .trustStorePassword=your_truststore_password See Also: http://java. you should enter the following: -Djavax. 3. Ensure that the correct keystore and truststore are used by OC4J and BPEL.com/j2se/1.trustStore=path_to_truststore -Djavax. Ensure that a mutually-trusted certification authority certificate is in the truststore and keystore.4. The steps to configure the client to invoke partner links that require client authentication are similar to the steps to invoke partner links with only server side authentication enabled. the host OC4J server certificate in the keystore) The client certificate or a mutually-trusted CA certificate in the keystore and truststore The high level steps involved are as follows: 1.h tml#security for details about using keytool HTTP/S with Partner Link Server and Oracle BPEL Server Client Certificate Authentication This section describes how to configure the Oracle BPEL Server client.net. Table 1–3 Properties Description Creates a WS-Security UsernameToken with the following values: ■ Property Name wsseHeaders On Change Takes effect immediately propagate If the process has been invoked securely. If you are using a different truststore from the default. these credentials are also used for the outbound direction. These properties are configurable at the individual partner link level.2/docs/tooldocs/tools. BPEL can be configured to invoke the partner link with these. The difference is the keystore that BPEL uses for this environment has the following certificates in the following locations: ■ ■ Its own (that is.ssl. WS-Security-Compliant Services If a partner link expects WS-Security-compliant authentication tokens. (See Figure 1–3 on page 1-15. as described in Step 2 of "HTTP/S with Partner Link Server Certificate Authentication Only" on page 1-17.Invoking Secured Services (Outbound) 3.sun.net. as described in "Step 1: Configuring OC4J" on page 1-8.) Table 1–3 shows the relevant properties. 2.

add the following (which builds a WS-Security Header): <property name="wsseHeaders">credentials</property> <property name="wsseUsername">your_user</property> <property name="wssePassword">your_password</property> For case 4. add the following (attached to the SOAP call(setUsername.wsdl</property> </partnerLinkBinding> </partnerLinkBindings> For case 1.org/committees/tc_home.Invoking Secured Services (Outbound) See Also: ■ Oracle BPEL Process Manager Developer’s Guide for additional details about these deployment descriptor properties Web Services Security (WS-Security) Specifications available at the following URL: http://www. add the following (attached to the SOAP call(setUsername. <partnerLinkBindings> <partnerLinkBinding name="client"> <property name="wsdlLocation">CreditRatingService. Oracle BPEL Server does not propagate any credentials.oasis-open. and sent out Configuration By default.php?wg_ abbrev=wss ■ SOAP Binding When using SOAP binding. and sent out ■ Case 4 Static definition of a user name and password that is used for http-basic-authentication. there are four possible cases: ■ Case 1 Propagation of the credentials over a partner link (if the process is invoked securely over any API) for WS-Security headers ■ Case 2 Propagation of the credentials over a partner link (if the process is invoked securely over any API) for basic authentication ■ Case 3 Static definition of a user name and password put into a WS-Security compliant user name token. setPassword)): <property name="basicHeaders">credentials</property> Oracle BPEL Process Manager Security 1-19 .xml (found in the BPEL suitcase). All partner links that are used within a BPEL process are defined in bpel. even if the process is invoked securely. setPassword)): <property name="basicHeaders">propagate</property> For case 3. add the following property (which causes BPEL to add the process-credentials to the outgoing call): <property name="wsseHeaders">propagate</property> For case 2.

1. so they do not affect any other partner links as long as they are not specified on this specific binding.0.2) HTTP Binding (10.org/ws/2002/07/secext namespace. ■ credentials Passes credentials from the descriptor basicUsername basicPassword The user name for the token (required) The password for the token (optional) Takes effect immediately Takes effect immediately J2EE Basic Authentication Protected Services (HTTP) This section describes HTTP basic authentication. add the following property: <property name="wsseOASIS2004Compliant">true</property> Axis Services with Custom Authentication Handlers Table 1–4 shows the configurable properties at the partner link level for Axis services.2.3) HTTP Basic Authentication (10. these credentials are also used for the outbound direction. you need to apply the new namespace or else it defaults to the http://schemas. Table 1–5 Properties Description This is used for HTTP user name/password authentication On Change Takes effect immediately Property Name httpUsername 1-20 Oracle BPEL Process Manager Administrator’s Guide .2.Invoking Secured Services (Outbound) <property name="basicUsername">your_user</property> <property name="basicPassword">your_password</property> Note: All these properties are on a per partner link basis. Since the change to the WS-Security standard in 2004.0. These properties can be set to authenticate services that use HTTP headers for authentication in 10.0. The section contains the following topics: ■ ■ HTTP Basic Authentication (10.2.xmlsoap.2.1. Table 1–4 Properties Description Creates a WS-Security UsernameToken with the following values: ■ Property Name basicHeaders On Change Takes effect immediately propagate If the process has been invoked securely. To apply the new namespace.1.1.2) Table 1–5 shows the deployment descriptor properties configurable at the partner link level.

1. However.1.3) Starting with Oracle BPEL Process Manager release 10.oracle. and the map contains all partner link properties.Invoking Secured Services (Outbound) Table 1–5 (Cont.) Properties Property Name httpPassword Description This is used for HTTP user name/password authentication On Change Takes effect immediately HTTP Binding (10.1. when outbound HTTP binding is used.3) Starting with Oracle BPEL Process Manager release 10. all partner link properties are automatically propagated into the HTTP header.1.3. credentials can be used for basic authentication.client.bpel. partner link properties can be propagated into the implementing class or EJB by implementing this interface: com. if configured: <property name="httpBasicHeaders">credentials</property> <property name="httpBasicUsername">your_username</property> <property name="httpBasicPassword">your_password</property> Or they can simply be propagated from the process instance: <property name="httpBasicHeaders">propagate</property> Java and EJB Binding (10.3.wsif. This method is called directly after the class or bean has been created.IjavaEjbPlnkBindingInfo It contains the following method: /** * This method will be called immediately after the new instance * of the class/bean has been created * * @param pProperties the map containing name/value pairs */ public void setPlnkProperties(HashMap pProperties). Oracle BPEL Process Manager Security 1-21 .

bpeladmin. BPMSystemAdmin BPMDefaultDomainAdmin Provides access to only the default domain accessible through Oracle BPEL Control. and default users can be changed through Oracle Enterprise Manager 10g Application Server Control Console. Use the oc4jadmin user account when creating application server connections in the Connection Navigator of Oracle JDeveloper. Other user accounts. Oracle recommends that you change the passwords for the bpeladmin and default users after installation. and Domains Roles ■ Domains bpeladmin User account with the BPMSystemAdmin role and a default password of welcome1. default. such as bpeladmin. 1-22 Oracle BPEL Process Manager Administrator’s Guide . both consoles are fully integrated with Oracle Application Server J2EE and JAAS security features. default — Enables you to partition and manage Provides access to all instances of your processes. This section provides the following examples: ■ ■ ■ Example 1: Creating New Users and Groups to Access New BPEL Domains Example 2: Creating a New User to Access the Default BPEL Domain Example 3: Creating a New User to Access All BPEL Domains Notes: These examples use a:/home/oc4j/bpel/lib as the directory location for orabpel-boot. roles. Table 1–6 describes these features: Table 1–6 Users ■ Oracle BPEL Process Manager Roles. do not have the RMI permissions and cannot be used when creating application server connections in Oracle JDeveloper. and domains for performing BPEL process management from Oracle BPEL Control and Oracle BPEL Admin Console. as necessary. This role does not provide access to Oracle BPEL Admin Console. In addition. Beginning with this release. or any new user accounts you created. ■ default User account with the BPMDefaultDomainAd min role and a default password of welcome1.Oracle BPEL Control and Oracle BPEL Admin Console Users and Roles Oracle BPEL Control and Oracle BPEL Admin Console Users and Roles The Oracle Application Server oc4jadmin administrator account enables you to log into Oracle BPEL Control and Oracle BPEL Admin Console and manage BPEL processes. Passwords for the oc4jadmin. Oracle BPEL Process Manager automatically includes a set of users. Substitute this path with the one appropriate to your environment.jar. Users. ■ The Oracle Application Server oc4jadmin administrator account also includes the BPMSystemAdmin role. Oracle BPEL Admin Console. You can create new users and groups and assign them to new domains or the default domain automatically included with Oracle BPEL Process Manager. domains accessible through You can create additional Oracle BPEL Control and domains.

1. 1.jar -jar jazn. and default passwords Oracle Containers for J2EE Security Guide for information about Java SSO (JSSO).1.2 Oracle Internet Directory" on page 2-7. Create a new user named soaAdmin and group named BPMsoaAdminDomainAdmin in Oracle Internet Directory. – – Oracle BPEL Process Manager Security 1-23 .jar -shell -grantperm jazn. OracleAS JAAS Provider Admintool examples. and additional security management tools available for file-based providers and Oracle identity management providers ■ ■ ■ Example 1: Creating New Users and Groups to Access New BPEL Domains This section describes how to create a new user and group to access a new BPEL domain.1. This parameter indicates the level of actions the user or group can perform.1.0 identity service with 10.3.security. soaAdmin — Is a parameter to the permission class.collaxa. "Demo User Community" for additional details about the BPMSystemAdmin and BPMDefaultDomainAdmin roles Oracle BPEL Process Manager Developer’s Guide for additional details about the BPMSystemAdmin and BPMDefaultDomainAdmin roles and domain management Oracle Application Server Administrator’s Guide for instructions on changing the oc4jadmin. all — Is a parameter to the permission class. The management tool to use to create the user and group is based on the type of identity service provider you are using. Use the JAZN Admin tool to grant domain permissions to user soaAdmin or group BPMsoaAdminDomainAdmin: java -Xbootclasspath/a:/home/oc4j/bpel/lib/orabpel-boot. 4.security. or java -Xbootclasspath/a:/home/oc4j/bpel/lib/orabpel-boot. you use Oracle Internet Directory to create the user and group and the OracleAS JAAS Provider Admintool of the XML-based JAZN provider to grant the necessary domain permissions to the new user and group. In this example.security.jar -jar jazn.3. This permission class does not provide access to Oracle BPEL Admin Console.com -role BPMsoaAdminDomainAdmin com.DomainPermission soaAdmin all where: – com. Configure the 10.collaxa.1.DomainPermission soaAdmin all 2. bpeladmin.1. 3. Create a new domain in the Oracle BPEL Admin Console named soaAdmin.com -user soaAdmin com.0 with 10.Oracle BPEL Control and Oracle BPEL Admin Console Users and Roles See Also: ■ Appendix A.2 Oracle Internet Directory as described in "Configuring Identity Service 10.collaxa. This parameter indicates the name of the domain to which the user has access.jar -shell -grantperm jazn.DomainPermission — Is the name of the permission class.

In this example. you use the OracleAS JAAS Provider Admintool to create a user and grant the BPMSystemAdmin role to the user.Oracle BPEL Control and Oracle BPEL Admin Console Users and Roles Note: The user soaAdmin or group BPMsoaAdminDomainAdmin receives either all or no privileges in the soaAdmin domain. In this example. You cannot assign specific actions to a user or group.com. The management tool to use to create the user is based on the type of identity service provider you are using.com mike 3. % java -Xbootclasspath/a:/home/oc4j/bpel/lib/orabpel-boot.jar -jar jazn.jar -shell -grantrole BPMSystemAdmin jazn. % java -Xbootclasspath/a:/home/oc4j/bpel/lib/orabpel-boot.com. This permission provides access to all domains and to Oracle BPEL Admin Console.jar -shell -grantrole BPMDefaultDomainAdmin jazn. 1.jar -jar jazn.jar -jar jazn. This permission also automatically includes the default (com.DomainPermission) permission. 5. Log into Oracle BPEL Control. Log into Oracle BPEL Control. The management tool to use to create the user is based on the type of identity service provider you are using.jar -shell -adduser jazn. 1-24 Oracle BPEL Process Manager Administrator’s Guide .security. 1.security.com with a password of welcome. and so on. Grant the role BPMSystemAdmin to user mike in realm jazn. This user also receives the com. Grant the role BPMDefaultDomainAdmin to user mike in realm jazn. you use the OracleAS JAAS Provider Admintool to create a user and grant the BPMDefaultDomainAdmin role to the user. update permissions.jar -jar jazn.com mike welcome 2. % java -Xbootclasspath/a:/home/oc4j/bpel/lib/orabpel-boot.collaxa. Create a user named mike in realm jazn. Create a user named mike in realm jazn.collaxa. % java -Xbootclasspath/a:/home/oc4j/bpel/lib/orabpel-boot.ServerPermission permission. such as specifying read-only permissions.com with a password of welcome. Example 2: Creating a New User to Access the Default BPEL Domain This section describes how to create a new user to access the default BPEL domain automatically included with Oracle BPEL Process Manager.jar -shell -adduser jazn. Example 3: Creating a New User to Access All BPEL Domains This section describes how to create a new user to access all BPEL domains. Log into Oracle BPEL Control.com mike 3.com mike welcome 2.

BPEL concatenates the process name and ExecutionRole and expects the supplied user to belong to a role of that name. created in SOA_Oracle_ Home\j2ee\home\config\system-jazn-data. or a custom repository plug-in as your identity store.xml if you are using JAZN): <role> <name>CreditRatingServiceExecutionRole</name> <members> <member> <type>user</type> <name>Clemens</name> </member> </members> </role> See Also: ■ ■ "Configuring the Identity Service" on page 2-1 Oracle BPEL Process Manager Developer’s Guide for additional details about BPEL identity services Oracle BPEL Process Manager Security 1-25 . If you want to invoke a BPEL process. For example. For example: <property name="user">Clemens</property> <property name="pw">your_password</property> ■ If a role is specified in the BPEL suitcase. in Oracle Application Server you can use JAZN.xml. For example. For example: <user> <name>Clemens</name> <credentials>!yourpassword</credentials> </user> BPEL security validation is evaluated in the following order: ■ If the BPEL suitcase contains the credentials within the configurations tag in bpel. or. <property name="role">administrators</property> This method is useful when many processes are used and identity management cannot be reconfigured with a new role for each process. your user name must be in the configured store. the user specified in the request must exist in the identity management store and must belong to that group.xml (for the Oracle BPEL Process Manager for OracleAS Middle Tier installation type).Default and Custom Validators Default and Custom Validators Two types of identity store validators are available for authenticating users: ■ ■ Using the Default Validator Creating a Custom Validator Using the Default Validator Oracle BPEL Process Manager provides a bridge to your identity store through the BPEL Identity Service. he must belong to a group named CreditRatingServiceExecutionRole as defined in your identity store (for example. in the case of JAZN. system-jazn-data. Oracle Internet Directory (OID). ■ If neither of the security validators described above are found. if user Clemens invokes the CreditRatingService process.

oracle.oracle.security.bpel. domain and revision of the process * @param pMessage the message will hold all information. 1-26 Oracle BPEL Process Manager Administrator’s Guide . To accomplish this. including * the domain information and headers * @throws ServerException in case something breaks */ public abstract boolean isAllowedToExecuteProcess (BPELProcessId pProcessID. import com. the following interface must be implemented and the message handler reconfigured. /** * This source is proprietary to ORACLE CORPORATION * 2005.ServerException * @since 1.1 */ public abstract class ACLManager extends BaseACLManager { /** * Public constructor that should use a cache for connections * and care about other stuff. All rights reserved */ package com.BPELProcessId. /** * Checks if a user is allowed to execute (=invoke) a certain revision * (if given) of a process.client.bpel. NormalizedMessage pMessage) throws ServerException. * @throws com.client.client.NormalizedMessage. including * the domain information and headers * @throws ServerException in case something breaks */ public abstract boolean validateUser (BPELProcessId pProcessID.client.0 */ public ACLManager() throws ServerException { } /** * Checks if a user is valid in the context of a secured Process * * @return valid or not * @param pMessage the message will hold all information.Default and Custom Validators Creating a Custom Validator It is sometimes necessary to implement a custom validator when the default does not meet your requirements.oracle.oracle.bpel.bpel. import com. import com. * * @return true if he is otherwise false * @param pProcessId the name.bpel.ServerException.oracle. NormalizedMessage pMessage) throws ServerException. /** * Public abstract class that has to be implemented * for having a valid ACLManager that is used by the BPEL server * for authentication & authorization * * @version 1.

/** * Checks if a user is allowed to lookup a certain revision * (if given) of a process. /** * Checks if a user is allowed to lookup a certain activity of a process. * * @return true if he is otherwise false * @param pActivityName the name of the Activity * @param pProcessId the name.xml: <property id="ACLManager"> <value>com. * * @return true if he is otherwise false * @param pMessage the message will hold all information. including * the domain information and headers * @throws ServerException in case something breaks */ public abstract boolean isAllowedToExecuteActivity (BPELProcessId pProcessID. the class must reside in SOA_Oracle_ Home\bpel\system\classes to be reached by the class loader. NormalizedMessage pMessage) throws ServerException. domain and revision of the process * @param pActivityName the name of the Activity * @param pMessage the message will hold all information.Default and Custom Validators /** * Checks if a user is allowed to execute (=invoke) a certain activity * of a process. Oracle BPEL Process Manager Security 1-27 . including * the domain information and headers * @param pProcessId the name. domain and revision of the process * @throws ServerException in case something breaks */ public abstract boolean isAllowedToLookupProcess (BPELProcessId pProcessID. NormalizedMessage pMessage.bpmid. NormalizedMessage pMessage. String pActivityName) throws ServerException.security.oracle. * * @return true if he is otherwise false * @param pProcessId the name. String pActivityName) throws ServerException.validator.bpel. } After implementation. The second step is to reconfigure the following property in message-handlers.BPMIdentityValidator</value> <comment>BPMIdentityValidator uses the server configured security such as JAAS to validate the user against </comment> </property> where value must point to the classname (including the package) of the implemented validator class. domain and revision of the process * @throws ServerException in case something breaks */ public abstract boolean isAllowedToLookupActivity (BPELProcessId pProcessID.

assume Oracle BPEL Process Manager is installed on a host named internal123.company. and WS-Security. For example. Oracle Web Services Manager provides sophisticated authentication capabilities.proxyPort=8090" "-Dhttp.sh file on Unix or Linux. Message Encryption.com.proxyHost=myproxy004. This section contains the following topics: ■ ■ ■ Authorization Message Encryption and Decryption Digital Signatures See Also: ■ ■ ■ ■ ■ Oracle Web Services Manager Installation Guide Oracle Web Services Manager Deployment Guide Oracle Web Services Manager User and Administrator Guide Oracle Web Services Manager Upgrade Guide Oracle Web Services Manager Extensibility Guide 1-28 Oracle BPEL Process Manager Administrator’s Guide . Oracle Web Services Manager supports authentication using HTTP basic authentication.com" "-Dhttp.nonProxyHosts to the server that hosts Oracle BPEL Server.com" By setting http.Invoking a Partner Web Service through a Proxy Server Invoking a Partner Web Service through a Proxy Server You can configure Oracle BPEL Process Manager to invoke a partner Web service through a proxy server. You may want to expand the nonProxyHosts list to include other servers inside your corporate network or other logical names for the internal123 host by using | as a delimiter.bat file on Windows or SOA_Oracle_Home/bpel/bin/obsetenv.proxyPort.proxySet=true" "-Dhttp. By setting the http. Perform the following steps to configure ant tasks and Oracle BPEL Process Manager to invoke the partner Web service through an HTTP proxy server. you activate the client proxy and redirect all the outbound traffic through http. 1. Netegrity.com on port 8090. Modify the line set OB_JAVA_PROPERTIES= as follows: set OB_JAVA_PROPERTIES="-Dhttp.company.company. Using Oracle Web Services Manager for Authorization. Oracle Web Services Manager can be used. you prevent the local request from going through the proxy.proxySet to true. For those features.509 Certificates. All the outbound HTTP traffic must be routed through an HTTP proxy server located at myproxy004. and X.proxyHost and http. 2.myPartner.com and one of your deployed BPEL processes must invoke a synchronous Web service hosted outside the fire wall at http://services. Open the SOA_Oracle_Home\bpel\bin\obsetenv. and Digital Signatures There are several security features for which Oracle BPEL Process Manager does not currently provide native support. LDAP.nonProxyHosts=internal123.company. COREid.

Summary Authorization Outbound authorization in the context of BPEL invoking a service is within the responsibility of the service provider and its implementation of authorization. and native BPEL security extension authentication. While Oracle BPEL Process Manager has no current native support for XML encryption. Oracle Web Services Manager provides the following capabilities to let authorized users access BPEL processes: ■ Supports authorization based on the information contained in any part of the XML message or body Provides the following fine-grained access control: – – Access control at the service level Access control at the SOAP method level ■ ■ Supports WS-Security Message Encryption and Decryption This section describes the actual message encryption. Oracle Web Services Manager performs the following tasks: ■ ■ ■ ■ Intercepts this request Checks if the service has a digital signature verification policy to be honored Verifies the signature Passes this request to BPEL to be serviced Similarly. when BPEL invokes a partner link. Digital Signatures While Oracle BPEL Process Manager has no current native support for digital signatures. Invoke secured services in which interaction is initiated by an outbound client request sent from Oracle BPEL Server to the server on which the partner link Web service is running. The following security methods are described: SSL authentication. Oracle Web Services Manager provides the following encryption and decryption features: ■ ■ WS-security compliant message and content encryption and decryption Full or partial message encryption. The following security methods are described: SSL authentication. Summary This chapter describes how to perform the following procedures: ■ Secure a BPEL process in which interaction is initiated by an inbound client service request sent to Oracle BPEL Server. Oracle Web Services Manager provides digital signatures and signature verification capabilities. When a client invokes a service. WS-Security-compliant services. XML encryption is covered by the WS-Security profile. Oracle Web Services Manager attaches a digital signature to the SOAP header of the message. enabling you to specify an XPath expression to the part of the message that requires encryption. HTTP basic authentication ■ Oracle BPEL Process Manager Security 1-29 . J2EE basic authentication. While Oracle BPEL Process Manager has no current native support for inbound authorization.

Oracle Web Service Manager can be used to provide authorization. 1-30 Oracle BPEL Process Manager Administrator’s Guide . and native BPEL security extensions. and digital signature support with Oracle BPEL Process Manager.Summary protected services. This chapter also provides details about the default and custom identity store providers available with Oracle BPEL Process Manager. An overview of Oracle Web Service Manager is also provided. Axis services with custom authentication handlers. message encryption and decryption.

and groups. roles.1. By default. The following sections describe how to configure the identity service. and user and group properties Structure of the Identity Service Configuration File The identity service configuration is defined in the is_config. namely OracleAS JAAS Provider (JAZN). supported identity service providers.1.3. This chapter contains the following topics: ■ ■ ■ ■ Configuring the Identity Service Configuring the Notification Services Configuring the Workflow Service Integrating Oracle BPEL Process Manager with the Oracle Application Server Service Registry Summary ■ Configuring the Identity Service The identity service is a thin Web service layer on top of the Oracle Application Server 10g security infrastructure. ■ ■ ■ ■ ■ ■ Structure of the Identity Service Configuration File Configuration for the XML-Based JAZN Provider Configuring Identity Service 10. it is stored in SOA_Oracle_Home\bpel\system\services\config Service Configuration 2-1 .0 with 10. and privileges.1. The identity service enables authentication and authorization of users and the lookup of user properties.2 Service Configuration This chapter describes configuration procedures for Oracle BPEL Process Manager services. or any custom user repository.2 Oracle Internet Directory Configuration for a Third-Party LDAP Server Configuration for Custom Identity Repository Plug-ins Setting Up Group Ownership See Also: Oracle BPEL Process Manager Developer’s Guide for details about creating realms. users. The file must be located in a directory that is included in the CLASSPATH of Oracle BPEL Process Manager. group memberships.xml file.

You can specify more then one provider for each configuration. LDAP. or authentication). If several configurations are defined in is_config. or custom repository plug-ins. which can have many configurations. Each type defines providers used by the identity service. the provider uses the identity service. authorization.xml file is stored in: SOA_Oracle_Home\bpel\system\services\schema\is_config. Figure 2–1 ISConfiguration Root Configuration The identity service configuration file (as defined by is_config. Each configuration must be named in the realmName attribute. unless otherwise specified in the service attribute. which can contain many configurations.Configuring the Identity Service The XML schema for the is_config. or CUSTOM. which can be JAZN. one configuration must be marked as default. At least one provider associated with the identity service must be defined in the configuration. 2-2 Oracle BPEL Process Manager Administrator’s Guide . The identity service supports the following plug-in types: JAZN provider. provider Element The provider element specifies the providerType.xsd) consists of a root element ISConfiguration. Figure 2–2 shows the provider element configuration. and any provider-specific properties.xml. A provider is always associated with one of the possible services (identity. By default. provider name (optional). third-party LDAP directories.xsd Figure 2–1 shows the root element configuration.

See "Configuration for the XML-Based JAZN Provider" on page 2-6 for more information about userPropertiesFile.xml.xml"/> </provider> <provider providerType="CUSTOM" name="CustomPlugIn" service="Authentication" class="package. Similarly. in the case of the JAZN XML provider. you must set the providerType attribute to JAZN and specify the value of the userPropertiesFile attribute.com"> <provider providerType="JAZN" name="xml" service="Identity"> <property name="userPropertiesFile" value="users-properties. The configuration has one JAZN provider associated with the default identity service and another CUSTOM provider used for the authentication service. In the code example above.oracle.Configuring the Identity Service Figure 2–2 provider Element If the providerType is JAZN. Therefore. Note: For example. you must set the providerType attribute to CUSTOM. as follows: <?xml version = '1. the value for configuration attribute realmName must match the existing JAZN realm defined in jazn. one configuration is defined with two service providers.0' encoding = 'UTF-8'?> <ISConfiguration xmlns="http://www.CustomAuthenticationService" /> </configuration> </configurations> </ISConfiguration> Multiple Service Providers The identity service supports multiple service parameters. the custom Service Configuration 2-3 . You then specify the class name for custom identity service plug-in implementation.name.com/pcbpel/identityservice/isconfig"> <configurations> <configuration realmName="jazn. if you use a custom plug-in to the identity service.

authorization. The identity service overwrites the is_config. which can be used by custom plug-ins.xml file after reading the configuration and encrypts the user password if it finds it in plain text. and a Boolean flag (encrypted) to specify that the password is either in plain text or is encrypted.0' encoding = 'UTF-8'?> <ISConfiguration xmlns="http://www. connection Element The connection element is used to specify the URL.CustomIdentityService"> <property name="customProperty" value="customValue" /> </configuration> </configurations> </ISConfiguration> In addition. the property element can be defined as part of any other elements (userControls.com"> <provider providerType="CUSTOM" name="CustomPlugIn" service="Identity" class="package. the admin username (binddnbind as this Distinguished name).com/pcbpel/identityservice/isconfig"> <configurations> <configuration realmName="jazn.name. Figure 2–3 connection Configuration The connection can specify connection pool properties by setting the following attributes on the pool element: ■ initsize—initial size of the connection pool 2-4 Oracle BPEL Process Manager Administrator’s Guide . Most of these parameters apply to JAZN-based or LDAP-based providers. Figure 2–3 shows the structure of the connection configuration. but can also be used by custom providers. and identity service providers Optional Parameters The provider can also define the following optional parameters in the configuration file. search. searchControls. See Also: The "Oracle BPEL Process Manager Workflow Services" chapter of Oracle BPEL Process Manager Developer’s Guide for additional details about the authentication. The provider element enables you to specify additional property elements.oracle. the credential (password) for the LDAP or RDBMS connection used by the identity service. and so on) in the configuration file. An example follows: <?xml version = '1.Configuring the Identity Service provider is used for user authentication calls while the JAZN XML provider is used for all authorization and identity service inquires.

Figure 2–5 shows the structure of the roleControls element. Figure 2–4 shows the structure of the userControls element. Figure 2–4 userControls Element The roleControls element is used to define role controls and restrict the LDAP role search. Figure 2–5 roleControls Element Both userControls and roleControls can have a search element that has the following optional attributes: Service Configuration 2-5 . userControls and roleControls Elements The userControls element is used to define user controls and to restrict the LDAP user search.Configuring the Identity Service ■ ■ ■ maxsize—maximum size of the connection pool prefsize— preferred size of the pool timeout—time after which the connection is released if there is no activity (in seconds) The LDAP plug-in for the identity service uses the following default values: ■ ■ ■ ■ initsize="2" maxsize="25" prefsize="10" timeout="60" If you are using a custom identity service plug-in. you can also specify any additional connection-specific properties as name-value pairs.

in which the search descends one level from the supplied DN. or task escalation may not work.xml file stores all extended user's properties.xsd 2-6 Oracle BPEL Process Manager Administrator’s Guide .xml in the Oracle BPEL Process Manager classpath. manager views. If this file is not created.Configuring the Identity Service ■ searchbase—a list of LDAP entries. the following can occur: ■ Certain workflow functionality such as notifications. ■ ■ By default. scope—determines the search level. the distinguished names (DNs) of user or group containers.xml"/ This element is in: SOA_Oracle_Home\j2ee\home\config\jazn. However. The JAZN element is defined as follows: jazn provider="XML" location=".com/pcbpel/identityservice/isconfig"> <configurations> <configuration realmName="jazn. Workflow rule creation is disabled for all users who do not have the BPMWorkflowAdmin role. This is not required for JAZN authorization or authentication.oracle. in which the search descends the hierarchy from the DN to the lowest level in the tree. The value can be onelevel.com"> <provider providerType="JAZN" name="xml" service="Identity"> <property name="userPropertiesFile" value="users-properties.0' encoding = 'UTF-8'?> <ISConfiguration xmlns="http://www. maxTimeLimit ="120" (sec).xml is stored in SOA_Oracle_Home\bpel\system\services\schema\IdentityService. and scope="subtree". Oracle Universal Installer stores the default users-properties. maxSizeLimit—the maximum number of elements that are fetched from LDAP during a search operation maxTimeLimit—the maximum time to wait to retrieve elements from an LDAP search ■ ■ ■ By default. the BPEL identity service requires this file to get contact details and the organizational hierarchy for users.xml The identity service configuration file must specify the userPropertiesFile property and provide the value of the file name where all user properties are stored: <?xml version = '1./system-jazn-data. the LDAP provider for the identity service uses the following values: maxSizeLimit ="1000". Workflow rule definitions for groups may not work. Configuration for the XML-Based JAZN Provider The default provider included with Oracle BPEL Process Manager is XML-based JAZN.xml"/> </provider> </configurations> </ISConfiguration> Note that the users-properties. the identity service looks for users-properties. or subtree.xml in SOA_Oracle_Home\bpel\system\services\config The XML schema for users-properties.

3. To add a user to a specified realm.3.jar -user adminUser -password adminPassword -adduser realmName newUser newUserPassword See Also: ■ JAZN documentation for information on how to configure the middle tier to use the XML-based JAZN provider and how to use the JAZN Admintool The "Oracle BPEL Process Manager Workflow Services" chapter of the Oracle BPEL Process Manager Developer’s Guide for additional information on creating identity service users and roles ■ Configuring Identity Service 10. Note: Perform the following procedures to ensure that the Oracle Application Server instance is associated with Oracle Internet Directory.xml file of the home instance to the jazn. you must manually copy the relevant <jazn> element configuration section from the jazn.2.1.Configuring the Identity Service Note: JAZN realms.0 with 10. See the section "Considering Multiple OC4J Instances when Associating Oracle Internet Directory" in the Oracle Identity Management chapter of the Oracle Containers for J2EE Security Guide for specific instructions.xml file of all other instances.1. and roles and groups can be created with the JAZN Admintool. ■ ■ ■ ■ Task 1: Perform Preconfiguration Procedures Task 2: Perform Configuration Procedures Step 3: Test the Oracle Internet Directory Configuration Task 4: Configure the Middle Tier to use the LDAP-based JAZN provider with Secure Socket Layer (SSL) Troubleshooting Reverting from Oracle Internet Directory to the XML-Based JAZN Provider ■ ■ Task 1: Perform Preconfiguration Procedures If you are using Oracle Internet Directory in an environment with multiple OC4J instances (for example.1. Service Configuration 2-7 . issue the following command: java -jar jazn. users.2 Oracle Internet Directory This section describes how to configure the identity service of Oracle BPEL Process Manager 10. 1.1.0 with Oracle Internet Directory 10.1.1. SOA_Oracle_ Home/j2ee/home and SOA_Oracle_Home/j2ee/oc4j_soa). Log in to the Oracle Enterprise Manager 10g Application Server Control Console: http://hostname:port/em where hostname is name of the host on which Oracle BPEL Process Manager is installed and port is the Oracle HTTP Server port.

details appear on this page. Click the Administration tab. Go to the Security section in the Task Name column. Is Oracle Internet Directory Associated with an Instance? Yes No See. 4. 5. Review the details that appear on this page to ensure that this is the Oracle Internet Directory instance you want to use. 3.. 3. 2. 2-8 Oracle BPEL Process Manager Administrator’s Guide . Click the icon in the Go to Task column for Identity Management. If Oracle Internet Directory is configured with this Oracle Application Server instance. Return to the Administration tab of the OC4J: oc4j_name page you accessed in Step 3. The OC4J: oc4j_name page appears.Configuring the Identity Service The Cluster Topology page appears. "Oracle Internet Directory is Associated with an Oracle Application Server Instance" on page 2-8 "Oracle Internet Directory is Not Associated with an Oracle Application Server Instance" on page 2-9 See Also: Oracle Application Server Administrator’s Guide for details on using Oracle Enterprise Manager 10g Application Server Control Console Oracle Internet Directory is Associated with an Oracle Application Server Instance 1. 2. Go to the Security section. See the following section based on whether Oracle Internet Directory is associated with an instance. Click the OC4J instance name in the Members section. 6..

If you want to associate Oracle Enterprise Manager 10g Application Server Control Console with Oracle Internet Directory. 5. 7. Provide appropriate responses to the questions that appear. Service Configuration 2-9 . Go to the Application Name section. If not.Configuring the Identity Service 4. Select Oracle Identity Management Security Provider from the Security Provider Type list. Click the Edit column for orabpel. If you want to use SSL. Click Next. The orabpel (for Oracle BPEL Process Manager) and hw_services (for human workflow) applications appear. 6. 10. 6. provide the specific SSL port number of your Oracle Internet Directory instance. 2. Oracle Internet Directory is Not Associated with an Oracle Application Server Instance 1. Click Configure. The Change Security Provider page appears. specify the non-SSL port of your Oracle Internet Directory instance. Click Configure to create a new association or Change to associate a different Oracle Internet Directory with the Oracle Application Server instance. 4. Repeat Steps 6 through 9 for hw_services (human workflow). 8. 3. Click OK. 5. Click orabpel and hw_services to use Oracle Internet Directory as the security provider. 9. 7. The Security Provider page appears. provide appropriate details on this page. Click Change Security Provider. Click Next. Click the icon in the Go to Task column for Security Providers.

Execute either configure_oid.Configuring the Identity Service Task 2: Perform Configuration Procedures This section describes how to seed users into Oracle Internet Directory. 2.com:389" binddn="cn=orcladmin" password="passwd" encrypted="false"/> </provider> </configuration> </configurations> </ISConfiguration> The command also modifies the J2EE_Home/application-deployments/hw_ services/orion-application.sh oid_admin_user oid_admin_passwd oid_nonssl_port ssl_enabled oid_realm_name seedAllUsers | seedRequiredUsers oc4j_admin_user oc4j_admin_passwd oc4j_container_name For example: sh . Oracle recommends you use the bash shell to execute the script on Linux.sh orcladmin welcome 389 false us seedAllUsers oc4jadmin welcome1 oc4j_soa The execution of this command internally modifies the SOA_Oracle_ Home/bpel/system/services/config/is_config. to run this script on Linux: sh .oracle. ■ 2-10 Oracle BPEL Process Manager Administrator’s Guide . SOA_Oracle_Home/bpel/system/appserver/oc4j/j2ee/OC4J_ Instance_Name for Oracle BPEL Process Manager for OracleAS Middle Tier installations.bat (for Windows operating systems) or configure_oid.0' encoding = 'UTF-8'?> <ISConfiguration xmlns="http://www. 1.xml and J2EE_ Home/application-deployments/orabpel/orion-application.oid. The file contents look as follows: <?xml version = '1. Ensure that the ORACLE_HOME environment variable is set to the root directory of the Oracle Application Server instance being configured. If you are using Windows. and grant privileges to BPM roles. Note: The path name delimiter used in this example. For example.xml files and adds the Oracle Internet Directory details to the descriptor./configure_oid.com/pcbpel/identityservice/isconfig"> <configurations> <configuration realmName="us" displayName="us Realm"> <provider providerType="JAZN" name="OID"> <connection url="ldap://my. which includes the configuration scripts: SOA_Oracle_Home/bpel/system/services/install/ant-tasks 3. assume that the path name delimiter is \.sh (for Unix operating system) with the required parameters. configure the identity service. where J2EE_Home is: ■ SOA_Oracle_Home/j2ee/OC4J_Instance_Name for Oracle Application Server SOA installations.xml file. /. is for UNIX./configure_oid. Open an operating system command prompt and go to the following directory.

Verify that you correctly specified all parameter values in Step 3. Ensure that your PATH variable points to Ant_Home/bin and Java_ Home/bin.admin. .Configuring the Identity Service The file contents look as follows: <?xml version = '1.port=non_ssl_port -Dssl.nonssl.enabled=is_ssl_enabled -Doid.1. Execute the following command (entered on a single.admin. d. .user=oid_admin_user_name -Doid. f.xml -Doid.com/oracleas/schema/orion-application-10_0.0'?> <orion-application xmlns:xsi="http://www. wrapping line): ant -f oid-config.pwd=welcome1 -Doid.admin.w3. . 4.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation= "http://xmlns.admin. e.pwd=oc4j_admin_password -Doc4j.port=389 -Dssl. If you encounter operating system-specific problems. This is typically SOA_ Oracle_Home/j2ee/home for an Oracle BPEL Process Manager for OracleAS Middle Tier install and SOA_Oracle_Home/bpel/ system/appserver/oc4j/j2ee/home for an Oracle BPEL Process Manager for Developers install.realm=oid_realm_name -Doid. .pwd=oid_admin_password -Doid. . .user=orcladmmin -Doid. For example: ant -f oid-config. .xml -Doid. .1. . Ensure that Ant_Home points to the correct directory.nonssl.enabled=false Service Configuration 2-11 . c.oracle. This is typically SOA_ Oracle_Home/jdk. . .xsd" deployment-version="10.3.container=oc4j_container_name b. Ensure that Java_Home points to the correct directory. . .user=oc4j_admin_user_name -Doc4j. <jazn provider="LDAP" jaas-mode="doAsPrivileged"/> .admin. This is typically SOA_ Oracle_Home/ant for an Oracle BPEL Process Manager for OracleAS Middle Tier installation and SOA_Oracle_Home/bpel/ system/appserver/oc4j/ant for an Oracle BPEL Process Manager for Developer’s installation. . . Ensure that OC4J_Home points to the correct directory. . </orion-application> The configure_oid script also grants required privileges to the BPMSystemAdmin role and the BPMDefaultDomainAdmin role. proceed as follows: a.0" default-data-source="jdbc/OracleDS" component-classification="internal-BPEL" schema-major-version="10" schema-minor-version="0"> .admin.seed=seedAllUsers | seedRequiredUsers -Doc4j.

user oid. To locate these names. Instead use orcladmin and us. The password of the user specified for the administrative user of Oracle Internet Directory.pwd oid. go to SOA_Oracle_Home/j2ee and look for the following directories: ■ SOA_Oracle_Home/j2ee/oc4j_ home/application-deployments/orabpel SOA_Oracle_Home/j2ee/oc4j_ home/application-deployments/hw_services ■ See Also: ■ "Reverting from Oracle Internet Directory to the XML-Based JAZN Provider" on page 2-14 Appendix A.user=oc4jadmin -Doc4j.realm oid.container A user with administrative privileges over your Oracle Application Server OC4J instance.container=oc4j_soa Note: The username and realm are not specified as cn=orcladmin or dc=us.pwd=welcome1 –Doc4j.admin.admin.nonssl. respectively.enabled true — Runs the identity service with SSL enabled.seed The realm under which you want to operate in Oracle Internet Directory. Note that JAZN must also be configured with SSL enabled.admin. The Oracle Internet Directory instance must be running on both the SSL and non-SSL ports.admin.dc=com. ■ oid.user oc4j. Set either of the following values: ■ seedAllUsers — Seeds the demo users into Oracle Internet Directory seedRequiredUsers — Seeds only those users required for proper functioning ■ oc4j.pwd oc4j.Configuring the Identity Service -Doid. Set to either of the following values: ■ ssl. The password of the user specified for the administrative user of OC4J.seed=seedAllUsers -Doc4j.dc=oracle. "Demo User Community" ■ 2-12 Oracle BPEL Process Manager Administrator’s Guide .realm=us -Doid. false — Does not run the identity service with SSL enabled. The container name where the hw_services (for human workflow) and orabpel (for Oracle BPEL Process Manager) applications are deployed. The parameters you specify are defined as follows: Parameter oid.admin. This is typically orcladmin.admin. This is typically oc4jadmin. The non-SSL port of the Oracle Internet Directory instance.port Value A user with administrative privileges over your Oracle Internet Directory instance.

user" value="cn=orcladmin"/> <property name="ldap. Service Configuration 2-13 . Repeat these steps for SOA_Oracle_ Home/j2ee/home/application-deployments/orabpel/orion-applicat ion.xml to specify a protocol.xml. but no certificates are used for authentication. Go to SOA_Oracle_Home/j2ee/home/application-deployments/hw_ services.xml (shown in bold): <jazn provider="LDAP" location="ldap://example.xml in a text editor. because NULL authentication does not use certificates. You can test with the bpeladmin user name to see if the user is seeded correctly. NULL authentication means that data is encrypted with the Anonymous Diffie-Hellman cipher suite. 4. follow these steps: 1. If the problem persists. 2.com:636" default-realm="us"> <property name="ldap. perform the configuration steps again. If you think the scripts did not complete successfully. add a <property> element to the <jazn> element in jazn. Add the following property element to jazn. 3.protocol" value="ssl"/> </jazn> See Also: Oracle Containers for J2EE Security Guide for additional details about JAZN configuration Troubleshooting If you cannot log in to Oracle BPEL Worklist Application or Oracle BPEL Control. You do not need to specify a wallet location or password.Configuring the Identity Service Step 3: Test the Oracle Internet Directory Configuration There are multiple ways to test the Oracle Internet Directory configuration: ■ Use the IdentityService servlet to look up users and roles by going to http://localhost:9700/integration/services/IdentityService/id entity?operation=lookupUser.xml and to the <connection> element in is_config. To use NULL authentication. ■ Go to the Oracle BPEL Worklist Application at http://localhost:9700/integration/worklistapp/Login and enter bpeladmin as the user name and welcome1 as the password to see if you can connect. ensure that the steps described above have been executed correctly. Task 4: Configure the Middle Tier to use the LDAP-based JAZN provider with Secure Socket Layer (SSL) You must use NULL authentication when communicating with Oracle Internet Directory.password" value="!welcome1"/> <property name="ldap. Verify that the jaas-mode attribute for the JAZN provider configuration is set to doAsPrivileged. For example: <jazn provider="LDAP" jaas-mode="doAsPrivileged"/> 5. Open orion-application.

xml. change the following line in the jazn.xml file. Rename is_config. 9. Select File Based Security Provider from the Security Provider Type list 10. 2. Go to the Security section in the Task Name column.xml. Click the Administration tab. 15. Log out of Oracle Enterprise Manager 10g Application Server Control Console. 3.BPM to is_config. The Change Security Provider page appears. 5. 1. 6. <property name="ldap. If you configured Oracle Internet Directory to use SSL in "Task 4: Configure the Middle Tier to use the LDAP-based JAZN provider with Secure Socket Layer (SSL)" on page 2-13. 7. Click the OC4J instance name in the Members section. Repeat Steps 7 through 10 for hw_services. Click OK. SOA_Oracle_Home/opmn/bin> opmnctl stopall SOA_Oracle_Home/opmn/bin> opmnctl startall 2-14 Oracle BPEL Process Manager Administrator’s Guide . 16. 11. Go to the Application Name section. 4. 13. Click the Edit column for orabpel. 14. Restart the Oracle Application Server instance for the changes to take affect.Configuring the Identity Service Reverting from Oracle Internet Directory to the XML-Based JAZN Provider Follow these procedures if you need to revert from Oracle Internet Directory back to XML-based JAZN as the identity service provider. The Cluster Topology page appears. The Security Provider page appears.protocol" value="no-ssl"/> 17. Log in to the Oracle Enterprise Manager 10g Application Server Control Console: http://hostname:port/em where hostname is the name of the host on which Oracle BPEL Process Manager is installed and port is the Oracle HTTP Server port. Click the icon in the Go to Task column for Security Providers.xml. Click Change Security Provider. The orabpel (for Oracle BPEL Process Manager) and hw_services (for human workflow) applications appear. 12. Go to the SOA_Oracle_home/bpel/system/services/config directory. The OC4J: oc4j_name page appears.protocol" value="ssl"/> to <property name="ldap. Delete is_config. 8.

2. sbs For Other Third-Party LDAP Servers system-ldap. as shown in the following examples. lastname. The user manager attribute from inetOrgPerson objectClass should be searchable to allow workflow escalation. manager. See the documentation for the third-party LDAP server you are using for how to set up the searchable attribute. title.sbs Replace the substitution variables with the appropriate values. 1. This is because Windows 2000 does not permit nested security groups. sn. and telephoneNumber. The recommended searchable attribute list is cn.dc=us.dc=oracle.dc=com Service Configuration 2-15 . firstname.Configuring the Identity Service Configuration for a Third-Party LDAP Server Note the following considerations when using a third-party LDAP server. To create system and optionally demo ldif files.sbs demo-ldap. the process assumes that the users’ and groups’ container is created in LDAP. These differences are also described. The actual values to enter depend upon your domain: LDAP Server Active Directory Substitution Variable %s_UserContainerDN% %s_GroupContainerDN% Replace With Value cn=Users. uid. and email attributes. mail. When you seed Oracle BPEL Process Manager users and roles into the LDAP server. givenName.dc=com cn=Users.dc=oracle. open the following template files in: SOA_Oracle_Home\bpel\system\services\config\ldap For Active Directory system-winServer2003-ActDir.sbs demo-roleGrants-winServer2003-ActDir.dc=us. Note: This section only describes Active Directory configuration on Windows 2003.sbs demo-winServer2003-ActDir. The configuration for Active Directory is slightly different. You can customize the attributes that can be searchable. The third-party LDAP servers must be configured to use the following standard objectClasses: For Other Third-Party LDAP Servers top person organizationalPerson inetOrgPerson groupOfUniqueNames For Active Directory top person organizationalPerson user group LDAP servers usually predefine the list of searchable attributes based on the cn.

dc=com is used in this example for Active Directory dn: ou=People.dc=acmeorac le.ldif and demo-ldap.ldif See the following Microsoft Active Directory Documentation for details about all bulk import options for Active Directory’s ldifde.dc=usldap.exe -i -k -f demo-winServer2003-ActDir.dc=oracle. Optionally.dc=ldapus. Perform the following steps based on your type of third party LDAP server: ■ For Active Directory: Run the following commands at the DOS command prompt on Windows 2003: ldifde. ■ For other third-party LDAP servers: Store changes in the system-ldap.microsoft.ldif with the ldapmodify utility.acme. %s_UserCommonNamingAttribute% and value are not applicable to Active Directory.dc=acmeoracle. Then load the system-ldap.dc=com is used in this example for other third-party LDAP servers ■ %s_GroupContainerDN% with a DN value of the entry under which all public groups are supposed to be added.ldif ldifde. load demo-ldap.com/technet/prodtechnol/windowsserver2003/technologies /directory/activedirectory/stepbystep/adbulk.dc=com ou=Groups. the cn value is used.dc=com is used in this example for other third-party LDAP servers ■ %s_UserCommonNamingAttribute% with the value used to construct the user's DN. In this example for other third-party LDAP servers. For example: $ldapadd -c -h ldap.dc=us.Configuring the Identity Service LDAP Server Other Third-Party LDAP Servers Substitution Variable %s_UserCommonNamingAttribute% %s_UserContainerDN% %s_GroupContainerDN% Replace With Value cn ou=People. otherwise.dc=usldap.exe -i -k -f system-winServer2003-ActDir.dc=acmeorac le. The groups’ container with: * * dn: cn=Users.ldif files.ldif ldifde.dc=com is used in this example for Active Directory dn: ou=Groups.exe -i -k -f demo-roleGrants-winServer2003-ActDir.dc=com where: ■ %s_UserContainerDN% with a DN.mspx#ECAA The Windows system administrator must set passwords for all seeded users.exe: http://www.dc=us.dc=oracle. The users container with: * * dn: cn=Users.ldif file to the LDAP server by using the ldapadd utility. worklist application authentication does not work for those users.dc=acmeoracle.dc=ldapus.com -p 389 -D "cn=admin" -w welcome -f 2-16 Oracle BPEL Process Manager Administrator’s Guide . value of the entry under which all users are supposed to be added.

userControls.com/pcbpel/identityservice/isconfig"> <configurations> <configuration realmName="us" default="true"> <provider providerType="LDAP" name="iPlanet" service="Identity"> <connection url="ldap://host:port" binddn="uid=admin. it is uniqueMember.ldif See the documentation for the third-party LDAP server you are using for information about the ldapadd and ldapmodify commands.oracle. In Active Directory.o=netscaperoot" password="welcome1" encrypted="false"> <pool initsize="2" maxsize="25" prefsize="10" timeout="60"/> </connection> <userControls> <property name="nameattribute" value="uid"/> <property name="objectclass" value="inetOrgPerson"/> Service Configuration 2-17 .com -p 389 -D "cn=admin" -w welcome -f demo-oid. ■ ■ ■ Both userControls and roleControl must define a search element with the searchbase attribute. it is member. it is member. in Active Directory.ou=topologymanagement. The identity service third-party LDAP provider must specify connection. in Active Directory. it is uniqueMember. In Sun Directory Server. it is uid.dc=com. memberattribute—The attribute of a static LDAP group object specifying the distinguished names (DNs) of the members of the group. it is groupOfUniqueNames.dc=com.ldif $ldapmodify -c -h ldap. ■ And a set of role search properties: ■ nameattribute—the name of the LDAP attribute that uniquely identifies the name of the role.acme. for example. membershipsearchscope—specifies how deep in the LDAP directory tree to search for role membership.Configuring the Identity Service system-oid.0' encoding = 'UTF-8'?> <ISConfiguration xmlns="http://www. and roleControls elements in the identity service configuration file. Examples of two realm LDAP server configurations are shown below: <?xml version = '1. In Sun Directory Server. it is inetOrgPerson.ou=administrators. Supported values: onelevel or subtree.dc=us. objectclass—the LDAP schema object class that is used to represent a group. In Sun Directory Server. In Sun Directory Server. objectClass—the LDAP schema object class used to represent a user. The searchbase attribute of the userControls search element is a space-separated list of DNs in the LDAP directory that contains users.dc=oracle.dc=oracle. in Active Directory. it is group. Identity service third-party LDAP provider implementation defines a set of user search properties that must be configured: ■ nameattribute—the name of the LDAP attribute that uniquely identifies the name of the user. 3. The searchbase attribute of the roleControls search element is a space-separated list of DNs in the LDAP directory that contains roles. In Sun Directory Server. for example.dc=us.com. cn=users. cn=Groups. it is user.

cn=Users.dc=oracle.dc=idc.dc=com" password="welcome1" encrypted="true"> <pool initsize="2" maxsize="25" prefsize="10" timeout="300000"/> </connection> <userControls> <property name="nameattribute" value="sAMAccountName"/> <property name="objectclass" value="user"/> <search searchbase="cn=Users. dc=us.oracle.dc=idc.dc=oracle.dc=com" scope="onelevel" maxSizeLimit="1000" maxTimeLimit="120000"/> </roleControls> </provider> </configuration> </configurations> </ISConfiguration> An example for Microsoft Active Directory follows: <?xml version = '1.dc=us.dc=com" scope="subtree" maxSizeLimit="1000" maxTimeLimit="120000"/> </userControls> <roleControls> <property name="nameattribute" value="cn"/> 2-18 Oracle BPEL Process Manager Administrator’s Guide .dc=us.Configuring the Identity Service <search searchbase="ou=People.dc=com " scope="obelevel" maxSizeLimit="1000" maxTimeLimit="120"/> </userControls> <roleControls> <property name="nameattribute" value="cn"/> <property name="objectclass" value="groupOfUniqueNames"/> <property name="membershipsearchscope" value="onelevel"/> <property name="memberattribute" value="uniquemember"/> <search searchbase="ou=Groups.dc=oracle.dc=us.dc=com" password="welcome1" encrypted="true"> <pool initsize="2" maxsize="25" prefsize="10" timeout="300000"/> </connection> <userControls> <property name="nameattribute" value="uid"/> <property name="objectclass" value="inetOrgPerson"/> <search searchbase="ou=People.dc=oracle.dc=oracle.dc=oracle.dc=com" scope="onelevel" maxSizeLimit="1000" maxTimeLimit="120000"/> </userControls> <roleControls> <property name="nameattribute" value="cn"/> <property name="objectclass" value="groupOfUniqueNames"/> <property name="membershipsearchscope" value="onelevel"/> <property name="memberattribute" value="uniquemember"/> <search searchbase="ou=Groups.com/pcbpel/identityservice/isconfig"> <configurations> <configuration realmName="AD" > <provider providerType="LDAP" name="Active Directory" service="Identity"> <connection url="ldap://host:port" binddn="cn=administrator.0' encoding = 'UTF-8'?> <ISConfiguration xmlns="http://www.dc=oracle.dc=com" scope="onelevel" maxSizeLimit="1000" maxTimeLimit="120"/> </roleControls> </provider> </configuration> <configuration realmName="idc"> <provider providerType="LDAP" name="openLDAP"> <connection url="ldap://host:port" binddn="cn=Manager.

POLJDBCDriver"/> <property name=3D"user" value=3D"system"/> <property name=3D"password" value=3D"manager"/> </connection> </provider> </configuration> </configurations> </ISConfiguration> In the proceeding example. In addition to the existing provider properties.xml file in the <owners> element of the groupObject.custom. roleControls. The <owners> element value can have several owners separated by commas.CustomIdentityService class.0' encoding =3D 'UTF-8'?> <ISConfiguration=xmlns=3D"http://www. the configuration defines a provider named DBProvider that is implemented by the is.custom.poljdbc. An owner can be either a user. or group. In this example.CustomIdentityService"> <connection url=3D"jdbc:polite4@host:1531:orabpel" > <property name=3D"driver" =value=3D"oracle.plugin.plugin.com/pcbpel/identityservice/isconfig"> <configurations> <configuration realmName=3D"default"> <provider providerType=3D"CUSTOM" name=3D"DBProvider" class=3D = "is. The provider uses custom connection properties for driver.dc=com" scope="subtree" maxSizeLimit="1000" maxTimeLimit="120000"/> </roleControls> </provider> </configuration> </configurations> </ISConfiguration> Configuration for Custom Identity Repository Plug-ins The following example shows how to use configuration properties to configure custom plug-ins. <?xml version =3D '1. The user owns the group or role indirectly if they are a grantee for another role or group that owns the role or group. This user can own the group directly or indirectly.dc=oracle.dc=us. userControls. and search elements in the configuration file to extend provider definitions. the CustomIdentityService class is used to demonstrate custom repository plug-ins. connection. you can define custom property elements that can be added to provider.Configuring the Identity Service <property name="objectclass" value="group"/> <property name="membershipsearchscope" value="onelevel"/> <property name="memberattribute" value="member"/> <search searchbase="cn=Users. application role. This class implements the BPMIdentityService interface. Setting Up Group Ownership The workflow rules for groups can be created and updated by users who are either the group owner or have the BPMWorkflowAdmin role. For example: <groupObject> Service Configuration 2-19 . Defining Group Ownership for JAZN XML-Based Providers Group ownership is an extended role property that is stored in the SOA_Oracle_ Home\bpel\system\services\config\users-properties.oracle.lite. user. and password.

use the server's tools or the ldapmodify utility to set values to the group's owner attribute. you must also perform additional configuration procedures. BPMAnalyst</owners> </groupObject> Defining Group Ownership for JAZN Oracle Internet Directory-Based and LDAP-Based Providers Group ownership is defined through the owner attribute. voice message. For third-party LDAP servers.xml in the directory SOA_Oracle_ Home\bpel\system\services\config contains the configuration for e-mail accounts. both IncomingServerSettings and OutgoingServerSettings are required. The name attribute in the EmailAccount element is the name of the account.xml identity service configuration file: <property name="roleOwnerAtribute" value="customOnwerAttribute" /> Configuring the Notification Services The notification service in Oracle BPEL Process Manager enables you to send notifications from a BPEL process using a variety of channels. The attribute name for owners can be overwritten with a property element of roleControls in the is_config. A default e-mail account must always be specified in the configuration file. Table 2–1 describes the XML elements for the e-mail notification configuration stored in the ns_emails. you must use Oracle Delegated Administration Services. A default e-mail account is specified in the e-mail configuration file. In addition to configuring notification channels in Oracle JDeveloper. 2-20 Oracle BPEL Process Manager Administrator’s Guide .oracle. Each EmailAccount element sets the configuration of a specific e-mail account. For actionable notifications in a workflow. The EmailAccount element contains the OutgoingServerSettings and IncomingServerSettings attributes. This account is also used to send task-related notifications. pager.xml file. or short message service (SMS). This section contains the following topics: ■ ■ ■ ■ ■ ■ Configuring the E-mail Server Configuring the Wireless Provider for Voice Configuring the Wireless Provider for SMS Configuring the Wireless Provider for Fax Configuring the Wireless Provider for Pager Configuring the Pluggable Notification Service See Also: Oracle BPEL Process Manager Developer’s Guide for details about configuring notification channels in Oracle JDeveloper Configuring the E-mail Server The file ns_emails. This account is used when there is no account specified to send an e-mail notification. To create an owner of the group in Oracle Internet Directory. jcooper.com</email> <owners>fkafka. fax.us.Configuring the Notification Services <name>LoanAgentGroup</name> <email>user1@dlsun4254. Oracle BPEL Process Manager can deliver these notifications by e-mail.

you should set this to false when you first enter the password. It is true if the password is encrypted and false if it is not. /Password[encrypted Generally. EmailAccount/Name EmailAccount/GeneralSettings/FromNa Name of the From e-mail address me EmailAccount/GeneralSettings/FromAd E-mail address for the From e-mail address dress EmailAccount/OutgoingServerSettings Name of the outgoing SMTP server /SMTPHost EmailAccount/OutgoingServerSettings Port of the outgoing SMTP server /SMTPPort EmailAccount/OutgoingServerSet Optional element to specify that authentication is tings/AuthenticationRequired required for the SMTP server EmailAccount/OutgoingServerSet Optional element to specify the user name for the tings/UserName SMTP account EmailAccount/OutgoingServerSet Optional element to specify the password for the tings/Password SMTP account EmailAccount/OutgoingServerSet Encrypted attribute of the password. EmailAccount/IncomingServerSettings Name of the folder from which to read the incoming messages /Folder EmailAccount/IncomingServerSettings Polling interval for reading messages from the incoming messages folder /PollingFrequency EmailMimeCharset MIME charset to be used to encode the e-mail from the address and the subject Service Configuration 2-21 . but must be unique within this server. The server automatically encrypts the password the first time it reads the configuration file and sets the attribute to true. EmailAccount/IncomingServerSettings Name of the incoming e-mail server /Server EmailAccount/IncomingServerSettings Port of the incoming e-mail server /Port EmailAccount/IncomingServerSettings User ID of the e-mail address /UserName EmailAccount/IncomingServerSettings User password /Password EmailAccount/IncomingServerSettings Encrypted attribute of the password. It is true if the incoming server requires SSL and false if it does /UseSSL not. EmailAccount/IncomingServerSettings Secure sockets layer (SSL) attribute. The server automatically encrypts the password the first time it reads the configuration file and sets the attribute to true. It is true if tings/Password[encrypted] the password is encrypted and false if it is not.Configuring the Notification Services Table 2–1 Name XML Elements for the E-mail Notification Configuration File Description Name of the account. You generally set this to false when you first enter the password. This can be any name.

oracle. ■ ■ Example ns_emails.com</FromAddress> </GeneralSettings> <OutgoingServerSettings> <SMTPHost>yourdomain.com</Server> <Port>110</Port> <Protocol>pop3</Protocol> <UserName>accountId</UserName> <Password ns0:encrypted="false" xmlns:ns0="http://xmlns. It is expected that the notification mode is set to either ALL or EMAIL after configuring the notification service for e-mail and other channels.) XML Elements for the E-mail Notification Configuration File Name NotificationMode Description The notification mode of the notification service. fax. By default.Configuring the Notification Services Table 2–1 (Cont.com</SMTPHost> <SMTPPort>25</SMTPPort> <AuthenticationRequired>true</AuthenticationRequired> <UserName>userId</UserName> <Password encrypted="false" xmlns:ns0="http://xmlns.com/ias/pcbpel/NotificationService"> password</Password> <UseSSL>false</UseSSL> <Folder>Inbox</Folder> <PollingFrequency>1</PollingFrequency> <PostReadOperation> <MarkAsRead/> </PostReadOperation> </IncomingServerSettings> </EmailAccount> </EmailAccounts> 2-22 Oracle BPEL Process Manager Administrator’s Guide .com/ias/pcbpel/NotificationService" EmailMimeCharset="" NotificationMode="NONE"> <EmailAccount> <Name>Default</Name> <GeneralSettings> <FromName>Oracle BPM</FromName> <FromAddress>accountId@yourdomain. voice. NONE – No channel is configured for sending notification messages.xml File <EmailAccounts xmlns="http://xmlns.oracle. EMAIL – Only the e-mail channel is configured for sending notification messages. and pager channels are configured and notification is sent through any channel. SMS.com/ias/pcbpel/NotificationService"> password</Password> </OutgoingServerSettings> <IncomingServerSettings> <Server>yourdomain.oracle. this value is set to NONE and therefore no notifications are sent. The possible values for this attribute are: ■ ALL – the e-mail. This is the default setting.

or by using Oracle Enterprise Manager 10g Application Server Control Console. ns_iaswconfig. Name of the proxy server Port number of the proxy server /IASWConfiguration/ProxyHost /IASWConfiguration/ProxyPort Note: The username and password are intentionally left blank at installation.this username should exist in iAS Wireless schema --> <UserName>username</UserName> <Password ns0:encrypted="false" xmlns:ns0="http://xmlns.oracle. you should set this to false when you first enter the password.xml.com/ias/pcbpel/NotificationService"> <!-.com/ias/pcbpel/NotificationService">password </Password> </IASWConfiguration> Service Configuration 2-23 . Example ns_iaswconfig.oracle.0' encoding = 'UTF-8'?> <!--This XML file stores the details of the IAS Wireless Notification Service--> <IASWConfiguration xmlns="http://xmlns. the wireless server allows up to 50 notifications from a specific IP address.xml File <?xml version = '1.oracle. you must get a paid account from http://messenger. Table 2–2 Name /IASWConfiguration/SoapURL /IASWConfiguration/UserName /IASWConfiguration/Password /IASWConfiguration/Password[encr ypted XML Elements for the Voice Notification Configuration File Description URL of the wireless service provider Name of the user account with the wireless service provider User password Encrypted attribute of the password.com You then specify the appropriate username and password in the configuration file.UserName .oracle.xml.xml on the SOA_Oracle_Home server. The server automatically encrypts the password the first time it reads the configuration file and sets the attribute to true.Configuring the Notification Services Configuring the Wireless Provider for Voice The configuration for the wireless service provider is stored in an XML file. After 50 notifications.URL to the SOAP Service --> <SoapURL>http://messenger. ns_ iaswconfig. Generally. which is in SOA_Oracle_Home\bpel\system\services\config Table 2–2 describes the XML elements for the voice notification configuration stored in ns_iaswconfig. If a username or password is not specified. It is true if the password is encrypted and false if it is not.com/xms/webservices</SoapURL> <!-.

xml. You can plug in a custom notification service for all channels or selectively for specific channels. which is in SOA_Oracle_Home\bpel\system\services\config See "Configuring the Wireless Provider for Voice" on page 2-23 to configure a wireless service provider for pager. you must edit the SOA_Oracle_ Home\bpel\system\services\config\ns_faxcoverpages. For example.services. the configuration for the wireless service provider for SMS is stored in the XML file ns_iaswconfig.pc. you implement the oracle. <FaxCoverPages xmlns="http://xmlns. Configuring the Wireless Provider for Fax As with the voice notification channel.oracle.tip. Note that you cannot use the Oracle Enterprise Manager 10g Application Server Control Console to configure a fax provider for this release. This interface has methods for the following channels: 2-24 Oracle BPEL Process Manager Administrator’s Guide . which is in SOA_Oracle_Home\bpel\system\services\config See "Configuring the Wireless Provider for Voice" on page 2-23 to configure a wireless service provider for SMS. Note that you cannot use the Oracle Enterprise Manager 10g Application Server Control Console to configure a pager provider for this release.ICustomNotificationService interface. the notification service provides the ability to plug in an existing SMS implementation instead of the default SMS notification service.Configuring the Notification Services Configuring the Wireless Provider for SMS As with the voice notification channel.notification. the configuration for the wireless service provider for pager is stored in the XML file ns_iaswconfig. Use the cover page name to specify the cover page in the fax message.xml. Configuring the Fax Cover Page To add cover pages for a fax.com/ias/pcbpel/NotificationService"> <FaxCoverPage> <Name>legal</Name> <MimeType>application/pdf</MimeType> <FileLocation>C:\orabpel\bpel\runtime\config\faxcoverpages\003288. which is in SOA_Oracle_Home\bpel\system\services\config See "Configuring the Wireless Provider for Voice" on page 2-23 to configure a wireless service provider for fax.xml.pdf</FileLocatio n> </FaxCoverPage> </FaxCoverPages> Configuring the Wireless Provider for Pager As with the voice notification channel. the configuration for the wireless service provider for fax is stored in the XML file ns_iaswconfig. Pluggable Notification Service Implementation To plug in a notification service. Configuring the Pluggable Notification Service Custom notification service implementations can be plugged in and used instead of the default notification service providers.xml.

set the Email element with the complete class name of your implementation: <CustomNotificationServices> <All/> <Email>com. Pager.NotificationService</All> <Email/> <Voice/> <Fax/> <Pager/> <SMS/> <IM/> </CustomNotificationServices> If you are overriding the default implementation for only the e-mail channel.AbstractCustomNotificationSe rviceImpl.services.xml to set is shown below. --> <CustomNotificationServices> <All/> <Email/> <Voice/> <Fax/> <Pager/> <SMS/> <IM/> </CustomNotificationServices> If you are overriding the default implementation for all channels.tip. By default. set the All element with the complete class name of your implementation: <CustomNotificationServices> <All>com.pc. <!-. Alternatively. you register it in the SOA_Oracle_ Home\system\services\config\ns_iaswconfig.test.xyz.NotificationService</Email> <Voice/> <Fax/> Service Configuration 2-25 .Specify any custom implementation for sending notification via Voice. When the custom notification service is overriding the default implementation for a subset of channels. which provides empty implementations for each of the channels. SMS or IM channels.test. all elements are empty.notification. the implementation can extend the abstract class oracle. the methods corresponding to the other channels (channels that are not overridden) are not called by the notification service. the implementation can just extend the methods for the interested channels.xyz. In that case. The section in ns_ iaswconfig.Configuring the Notification Services ■ ■ ■ ■ ■ ■ E-mail Voice Fax SMS Instant messaging (IM) Pager The plugged-in notification service can override the default providers for one or more channels.xml file. Pluggable Notification Service Registration Once the implementation is available. 'All' refers to an implementation for all of the above specified channels. Those methods can just return null. Fax.

errorpage" value="Error. Configuring the Workflow Service The configuration for all workflow services is performed in the SOA_Oracle_ Home\bpel\system\services\config\wf_config. <workflowConfigurations xmlns="http://xmlns.oracle.com:8888/integration/ worklistapp/TaskDetails?taskId=PC_HW_TASK_ID_TAG</worklistApplicationURL> <actionableEmailAccountName/> <pushbackAssignee>INITIAL_ASSIGNEES</pushbackAssignee> <assigneeDelimiter><![CDATA[.com/bpel/workflow/userMetadata"> <taskAutoReleaseConfigurations> <taskAutoRelease priority="1" default="P1D" percentageOfExpiration="30"/> <taskAutoRelease priority="2" default="P2D" percentageOfExpiration="40"/> <taskAutoRelease priority="3" default="P3D" percentageOfExpiration="50"/> <taskAutoRelease priority="4" default="P4D" percentageOfExpiration="60"/> <taskAutoRelease priority="5" default="P5D" percentageOfExpiration="70"/> </taskAutoReleaseConfigurations> <worklistApplicationURL>http://mlkenned-pc.]]></assigneeDelimiter> <shortHistoryActions> <action>ACQUIRE</action> <action>INFO_REQUEST</action> <action>INFO_SUBMIT</action> <action>RELEASE</action> </shortHistoryActions> <workflowServiceSessionTimeoutInMinutes>60</workflowServiceSessionTimeout InMinute> <user:ruleRepositoryInfo> <user:ruleEngine>ORACLE</user:ruleEngine> <user:repositoryLocation>WFRepository</user:repositoryLocation> <user:dictionaryName>WFDictionary</user:dictionaryName> <user:reposProperty name="reposType">jar</user:reposProperty> </user:ruleRepositoryInfo> <property name="worklist. Note that the implementation and its dependent classes must be available in the classpath of Oracle BPEL Server.jsp" /> <property name="worklist.oracle.loginpage" value="Login.jsp" /> </workflowConfigurations> This section describes the configuration parameters in this file: ■ ■ ■ ■ ■ ■ taskAutoReleaseConfigurations worklistApplicationURL actionableEmailAccountName pushbackAssignee assigneeDelimiter shortHistoryActions 2-26 Oracle BPEL Process Manager Administrator’s Guide .xml file.Configuring the Workflow Service <Pager/> <SMS/> <IM/> </CustomNotificationServices> The override for other channels is configured the same way as the e-mail channel.redirectpage" value="TaskDetails" /> <property name="worklist.com/pcbpel/humanworkflow/configurations" xmlns:user="http://xmlns.oracle.us.

xml file. the autorelease duration can be specified as a percentage of the expiration (the percentageOfExpiration attribute) duration or a default value (the default attribute). The capital letters are delimiters and can be omitted when the corresponding member is not used. worklistApplicationURL In the e-mails that are sent for tasks. the link to the Oracle BPEL Worklist Application is read from the worklistApplicationURL XML element in the wf_config. The release duration is configurable in the wf_config.xml file. and so. then the task is released at 3/37/2005 10:00 PM (3 1/2 days from when it was acquired). pushbackAssignee A task can be pushed back to the previous approver or previous original assignees. This e-mail account name is identified by the XML element actionableEmailAccountName in the wf_config. For example. Examples include PT1004199059S. if the task of priority 3 is acquired at 3/24/2005 10:00 AM and the task expires at 3/31/2005 10:00 AM. -P1Y. A particular business process can disable the autorelease by making autorelease a restricted action. The tag PC_HW_TASK_ ID_TAG in this URL is replaced with the task ID when constructing the URL for the e-mail. none of the initial assignees can see the task if the task was assigned to them. PT130S.Configuring the Workflow Service ■ ■ workflowServiceSessionTimeoutInMinutes user:ruleRepositoryInfo See Also: Oracle BPEL Process Manager Developer’s Guide for additional details about the workflow services taskAutoReleaseConfigurations If a task is assigned to groups or multiple users.xml file controls whether the task is pushed back to the original assignees or the approvers. After the task is acquired. The default values are used when the task does not have an expiration duration. PT2M10S.xml file. Configuring this is useful if the custom Oracle BPEL Worklist Application is built. escalated the task. The datatype of default is xsd:duration. actionableEmailAccountName Task actions can be performed through e-mail. The XML element pushbackAssignee in the wf_ config.123S. The original assignees do not need to be the approver. P1DT2S. as they may have reassigned the task. The release durations can be configured for tasks of each priority. For each priority. The configurations for the autorelease durations are in the element taskAutoReleaseConfigurations. the task is automatically released so that all other users in the group or list of users can see it. If the percentageOfExpiration for priority 3 tasks was 50. then the time left for expiration is 7 days. The element worklistApplicationURL identifies the URL. The actionable e-mail account is the account in which task action-related e-mails are received and processed. The possible values for this element are as follows: Service Configuration 2-27 . or P1Y2M3DT5H20M30. whose format is defined by ISO 8601 under the form PnYnMnDTnHnMnS. If the user does not act within a given time. one of the users in the group or the list of users must acquire the task before acting on it.

and withdrawn result in the version being in the short history. By default. outcome update. task initiation.) was used as a delimiter. the following two are equivalent. If a different delimiter is used in a particular environment. expiration. The short history contains only versions created by certain actions. In the example below.xml file. a comma (. if the XPath expression /task:task/task:payload/payload:assignee returns jcooper. <participant name="Loan Agent"> <resource isGroup="false" type="XPATH">/task:task/task:payload/payload:assignee</resource> </participant> shortHistoryActions The workflow service maintains two types of task history: ■ ■ Detailed history Short history The detailed history contains all the changes made to the task. stein.xml file. jstein</resource> </participant> ■ Listing 2: <participant name="Loan Agent"> <resource isGroup="false" type="STATIC">jcooper </resource> <resource isGroup="false" type="STATIC">jstein</resource> </participant> In the above example. complete. Action ACQUIRE AUTO_RELEASE ADHOC_ROUTE DELEGATE ERROR Action INFO_REQUEST INFO_SUBMIT OVERRIDE_ ROUTING_SLIP PUSH_BACK REASSIGN Action RENEW RESUME SKIP_CURRENT_ ASSIGNMENT SUSPEND UPDATE Action OUTCOME_UPDATE_ ROUTE 2-28 Oracle BPEL Process Manager Administrator’s Guide . then the delimiter can be specified in the XML element assigneeDelimiter in the wf_config. For example. reinitation. The possible actions that can be added to the short history actions are listed below.Configuring the Workflow Service ■ ■ APPROVER INITIAL_ASSIGNEES assigneeDelimiter Task assignees in the routing slip can be specified as a delimited string. then this participant is the same as listing 2 above. You can add other actions to the short history list in the XML element shortHistoryActions in the wf_config. ■ Listing 1: <participant name="Loan Agent"> <resource isGroup="false" type="STATIC">jcooper. Note that the dynamic assignee names are also interpreted for delimited strings.

located in the same directory as wf_config. The separate instances can all point to the same WebDAV URL. the rule repository is the file WFRepository. but does not perform any activity for a time greater than the value specified in workflowServiceSessionTimeoutInMinutes. For the Oracle BPEL Worklist Application. Set the following properties for ruleRepositoryInfo: ■ ruleEngine: ORACLE (only the Oracle Business Rules Rules Engine is currently supported) repositoryLocation: URL for the WebDAV repository dictionaryName: WFDictionary reposProperty – – name: reposType. dictionaryName: WFDictionary reposProperty – name: reposType. they are required to log into the application again. By default.Configuring the Workflow Service Action ESCALATE Action RELEASE Action OUTCOME_UPDATE Action workflowServiceSessionTimeoutInMinutes This is the length of time a workflowContext remains valid. set the following properties for ruleRepositoryInfo: ■ ruleEngine: ORACLE (only the Oracle Business Rules Rules Engine is currently supported) repositoryLocation: file path to the repository file. value: Web proxy to use when accessing the WebDAV repository (this property is optional) ■ ■ ■ Service Configuration 2-29 . this means that if a user remains logged into the application. When specifying a repository file on the file system. Use the import utility in the Oracle Business Rules Rule Author to import the dictionary WFDictionary from the WFRepository file-based repository into your WebDAV-based repository. The ruleRepositoryInfo section of the wf_ config. The repository file can be accessed from the file system. relative to the directory SOA_Oracle_Home\bpel\system\services\config. and a new authenticated context must be created. If the client does not perform any activity for longer than the specified time. set up a WebDAV Oracle Business Rules repository.xml file configures how to look up this file. the workflowContext is marked as invalid. Accessing the repository through WebDAV is useful if you have several instances of the user metadata service on separate hosts that must access the same rule information. or from a HTTP server through the WebDAV protocol.xml. value: webDAV name: proxyHost. user:ruleRepositoryInfo The user metadata service stores the workflow rules for users and groups in an Oracle Business Rules repository file. value: jar ■ ■ ■ To host the workflow rules repository using WebDAV.

Oracle BPEL Process Manager integration with OracleAS Service Registry also insulates Oracle BPEL Process Manager processes from any changes to service endpoints (physical hosted location. implementation. invoking services. The registry service inquiry URI is identified at the Oracle BPEL Process Manager domain level by a configuration property. A UDDI registry provides a standards-based foundation for locating published services. OracleAS Service Registry is a version 3-compliant implementation of the Universal Description. This section contains the following topics: ■ Task 1: Installing the Oracle Application Server SOA Suite and OracleAS Service Registry Task 2: Deploying Web Services Task 3: Publishing a Service and Adding Bindings Task 4: Specifying the Registry Service Inquiry URL in Oracle BPEL Control Task 5: Creating a Connection to the UDDI Registry Task 6: Configuring the RapidDistributors Partner Link Task 7: Specifying the OracleAS Service Registry Service Key Task 8: Securing the Client with Basic Authentication (Optional) Troubleshooting ■ ■ ■ ■ ■ ■ ■ ■ 2-30 Oracle BPEL Process Manager Administrator’s Guide .Integrating Oracle BPEL Process Manager with the Oracle Application Server Service Registry – – name: proxyPort. and so on). value: path (on local file system) to the wallet file containing the credentials for connecting to a secure WebDAV URL (this property is optional) See Also: ■ Oracle Business Rules User’s Guide for instructions on setting up a WebDAV repository Oracle BPEL Process Manager Developer’s Guide for details about BPEL process integration with business rules ■ Integrating Oracle BPEL Process Manager with the Oracle Application Server Service Registry You can integrate Oracle BPEL Process Manager with Oracle Application Server Service Registry (OracleAS Service Registry). transport. Discovery and Integration (UDDI) specification. This section provides an overview of how to integrate the RapidDistributors Web service of the OrderBooking tutorial with OracleAS Service Registry. the new physical endpoint is discovered with the service key reference (which does not change). The integration between Oracle BPEL Process Manager and OracleAS Service Registry is achieved by passing a reference to the service key (for the registered service in OracleAS Service Registry) at runtime. value: Web proxy port (this property is optional) name: wallet. or quality of service). and is a key component of a Service Oriented Architecture (SOA). and managing metadata about services (security. If the service endpoint for the published service changes. Consumers can browse and select published services that meet their needs.

com/technology/tech/webservices/htdocs/uddi/index .3 Product Documentation.xml file. Depending on the Oracle Application Server SOA install type that you select. Locate the registry component. 4. Change default-web-site as follows: <port id="default-web-site" range="8889" protocol="http"/> This assigns a fixed port (8889). Ensure that you use the same HTTP port (8889) specified for the OC4J container. 5.html Note: These instructions assume you are familiar with OracleAS Service Registry and have read and used the following documentation included with the downloaded product: OracleAS Service Registry 10.oracle. b. If you install the Oracle Application Server SOA Basic install type. the second OC4J container is named registry.3 Product Documentation Registry Step By Step Guide About Oracle Registry (online tutorial) ■ ■ 6. Install OracleAS Service Registry by following the instructions in OracleAS Service Registry 10. Open the SOA_Oracle_Home/opmn/config/opmn. Follow the instructions in Oracle Application Server Administrator’s Guide to start the second OC4J instance created in Step 2.1. which is included in the downloaded ZIP file. c. Follow the instructions in Oracle Application Server Administrator’s Guide to create a second OC4J instance through one of the following methods: ■ ■ 2. With the createinstance utility With Oracle Enterprise Manager 10g Application Server Control Console For the procedures in this section.1. Notes: ■ ■ Do not start the second OC4J instance.Integrating Oracle BPEL Process Manager with the Oracle Application Server Service Registry Task 1: Installing the Oracle Application Server SOA Suite and OracleAS Service Registry 1. Note that the OracleAS Service Registry must not be installed in the same OC4J container as Oracle BPEL Process Manager and Oracle Enterprise Service Bus. If you installed the Oracle Application Server SOA Basic install type. The OracleAS Service Registry must not reside in the same OC4J container as your Oracle Application Server SOA install type. Install an Oracle Application Server SOA Advanced install type (recommended). Download OracleAS Service Registry from the following Oracle Technology Network location: http://www. you must perform additional configuration steps described in Step 3. 3. perform the following procedure: a. the Service Configuration 2-31 .

Shut down your Oracle Application Server SOA install type: cd SOA_Oracle_Home/opmn/bin opmnctl stopall 8.jar security_providers_client.security.xml file. 11.jar"/> <code-source path="SOA_Oracle_Home/bpel/registry/lib/security_providers_ client. The OC4J container name appears in your installation directory path.jar"/> Ensure that you replace SOA_Oracle_Home with the real path.jaas.jar security3-ng. Open the system-jazn-data.jar where OC4J_Home is the name of the OC4J container for your install type: – – home — for the Oracle Application Server SOA Basic install type OC4J_SOA — for the Oracle Application Server SOA Advanced install types If the api-ext directory does not exist. Locate the shared library named orabpel.xml file. Add the following lines at the bottom: <code-source path="SOA_Oracle_Home/bpel/registry/lib/security2-ng. Note: 9.NamePasswordLoginModuleNoAuth</class> <control-flag>required</control-flag> 2-32 Oracle BPEL Process Manager Administrator’s Guide .xml file. Add new login modules to the <jazn-loginconfig> section: <application> <name>NamePasswordNoAN</name> <login-modules> <login-module> <class>com. Back up the SOA_Oracle_Home/j2ee/OC4J_ Home/config/system-jazn-data.xml file. Copy the following library files from SOA_Oracle_ Home/j2ee/registry/applications/registry/registry/WEB-INF/lib to SOA_Oracle_Home/j2ee/OC4J_Home/lib/api-ext: ■ ■ security-ng. Open the server. 13.jar 10. Back up the SOA_Oracle_Home/j2ee/OC4J_Home/config/server. create it. 14.common in the server. 12. 16. ■ 7. 15.xml file. Copy the following library files from the OracleAS Service Registry Registry_ Installation_Home\lib directory to the SOA_Oracle_ Home/bpel/registry/lib directory: ■ ■ security2-ng.idoox.Integrating Oracle BPEL Process Manager with the Oracle Application Server Service Registry container location is either in home or OC4J_SOA. For example: ■ home — is the container name if you install the Oracle Application Server SOA Basic install type OC4J_SOA — is the container name if you accept the default value when installing an Oracle Application Server SOA Advanced install type.

idoox.systinet.NamePasswordLoginModuleNoAuth</class> <control-flag>required</control-flag> <options> <option> <name>debug</name> <value>true</value> </option> Service Configuration 2-33 . Open the system-jazn-data.uddi.SmLoginModule</class> <control-flag>required</control-flag> <options> <option> <name>debug</name> <value>true</value> </option> </options> </login-module> </login-modules> </application> <application> <name>NamePasswordNoAN</name> <login-modules> <login-module> <class>com. Add new login modules to the <jazn-loginconfig> section: <application> <name>HttpRequest</name> <login-modules> <login-module> <class>com. 18.security.xml file.jaas.jaas. 19. Back up the SOA_Oracle_ Home/j2ee/registry/config/system-jazn-data.systinet.security.uddi.NamePasswordLoginModule</class> <control-flag>required</control-flag> <options> <option> <name>debug</name> <value>true</value> </option> </options> </login-module> </login-modules> </application> 17.jaas.xml file.security.Integrating Oracle BPEL Process Manager with the Oracle Application Server Service Registry <options> <option> <name>debug</name> <value>true</value> </option> </options> </login-module> </login-modules> </application> <application> <name>NamePasswordAN</name> <login-modules> <login-module> <class> com.

systinet. Start your Oracle Application Server SOA install type: cd SOA_Oracle_Home/opmn/bin opmnctl startall Task 2: Deploying Web Services You are now ready to deploy the RapidDistributors Web service. 22.security.xml and change the value of search-local-classes-first to false.jaas. "Authentication Configuration" of OracleAS Service Registry 10.Oracle_Home > Oracle BPEL Process Manager > Developer Prompt to open up an operating system command prompt at the SOA_Oracle_Home\bpel\samples directory. 2-34 Oracle BPEL Process Manager Administrator’s Guide .security. Select Start > All Programs > Oracle .NamePasswordLoginModule</class> <control-flag>required</control-flag> <options> <option> <name>debug</name> <value>true</value> </option> </options> </login-module> </login-modules> </application> <application> <name>IdentityAsserter</name> <login-modules> <login-module><class> com.Integrating Oracle BPEL Process Manager with the Oracle Application Server Service Registry </options> </login-module> </login-modules> </application> <application> <name>NamePasswordAN</name> <login-modules> <login-module> <class> com.jaas.uddi.systinet.uddi. 21. 1.3 Product Documentation to enable OracleAS Service Registry basic authentication. Follow the instructions in section 8.IdentityAsserterLoginModule</class> <control-flag>required</control-flag> <options> <option> <name>debug</name> <value>true</value> </option> </options> </login-module> </login-modules> </application> 20. Open SOA_Oracle_ Home/j2ee/registry/application-deployments/registry/registry/ orion-web.1.

3. 4.OrderBookingTutorial 3. a message appears at the end: BUILD SUCCESSFUL Task 3: Publishing a Service and Adding Bindings 1. Publish the RapidDistributors service to OracleAS Service Registry by following the instructions for creating a provider and publishing a service in "Publishing a Service" of OracleAS Service Registry 10. Change directories to the tutorials\127. 2. The Registry Step By Step Guide About Oracle Registry also provides an example. Enter the following command: ant This deploys and starts the required services. The Add Binding page appears.OrderBookingTutorial subdirectory: cd tutorials\127. Right-click the published service and select Add binding. you are ready to add bindings. See "Publishing a Binding Template" of OracleAS Service Registry 10.3 Product Documentation for details.Integrating Oracle BPEL Process Manager with the Oracle Application Server Service Registry 2.1.) http://hostname:port/RapidDistributors?wsdl Service Configuration 2-35 . Bindings represent a Web service instance from which you obtain the access point of an instance.0/ ■ other (This is an optional selection and refers to the abstract location of the service.0/ 5. including RapidDistributors.) http://hostname:port/orabpel/default/RapidDistributors/1.3 Product Documentation.0/RapidDistributor s?wsdl ■ endPoint (This is an optional selection and refers to the WSDL endpoint. After publishing a service (named RapidDistributors for this example).1. Enter the Web service access point for the RapidDistributors service: http://hostname:port/orabpel/default/RapidDistributors/1. Select an entry from the Use type list: ■ wsdlDeployment (This is a mandatory selection and refers to the physical endpoint of the service. Go to OracleAS Service Registry. If successful.) http://hostname:port/orabpel/default/RapidDistributors/1.

xml file in "Task 7: Specifying the OracleAS Service Registry Service Key" on page 2-38. Click Add binding when complete.Integrating Oracle BPEL Process Manager with the Oracle Application Server Service Registry 6. Note the service key value. The bindings are added to the service.Oracle_Home > Oracle BPEL Process Manager > BPEL Control Go to the following URL: http://localhost:port/BPELConsole ■ 2. Task 4: Specifying the Registry Service Inquiry URL in Oracle BPEL Control 1. For example: 2-36 Oracle BPEL Process Manager Administrator’s Guide . You later specify this value in a deployment descriptor property in the bpel. Access Oracle BPEL Control through one of the following methods: ■ Select Start > All Programs > Oracle . Select Manage BPEL Domain > Configuration. Enter a value for the uddiLocation property: http://hostname:port/registryname/uddi/inquiry This property must refer to the inquiry WSDL URL of the OracleAS Service Registry. 3.

Right click UDDI Registry.jpr file in Oracle JDeveloper. 5.oracle.Integrating Oracle BPEL Process Manager with the Oracle Application Server Service Registry http://hostname. The required endpoint service can now be selected in the Service Explorer window by browsing services under the UDDI Registry folder while a creating a partner link. the following message appears: Successfully contacted UDDI inquiry endpoint 8.us.com:42461/registryrc7/uddi/inquiry?wsdl Note: There can only be one OracleAS Service Registry reference in a Oracle BPEL Process Manager Installation at any point in time. Select New UDDI Registry Connection. Double-click the RapidDistributors partner link in the designer window. Test the connection by clicking Test Connection. Click the flashlight (the second icon from the left named Service Explorer) to access the Service Explorer window for selecting the RapidDistributors service deployed in "Task 1: Installing the Oracle Application Server SOA Suite and OracleAS Service Registry" on page 2-31. Click Next. Task 5: Creating a Connection to the UDDI Registry You now create a connection to OracleAS Service Registry in Oracle JDeveloper. The Edit Partner Link window appears. 1. 3. 7. Click Finish.com:42461/registryrc7/uddi/in quiry?wsdl Note: The value you enter here is the same as the value specified in Oracle BPEL Control in Step 3 of "Task 4: Specifying the Registry Service Inquiry URL in Oracle BPEL Control" on page 2-36. 3. If the connection was successful. Field Connection Name Inquiry Endpoint URL 6.us. Enter the following connection information: Description Enter a name for connecting to the registry. Service Configuration 2-37 . Open the SOA_Oracle_ Home/bpel/samples/tutorials/127. Enter the URL of the inquiry endpoint.OrderBookingTutorial/OrderBoo king/OrderBooking. Click Next on the Welcome page. Task 6: Configuring the RapidDistributors Partner Link You now configure the RapidDistributors partner link and select the Web service access point in OracleAS Service Registry. 1. 2.oracle. Select Connection Navigator from the View main menu in Oracle JDeveloper. 2. For example: http://hostname. 4.

This enables a partner link to invoke the Web service through OracleAS Service Registry. 1. <property name="registryUsername"> registry_username </property> <property name="registryPassword"> registry_password </property> where: ■ ■ registry_username — the name of a registry user registry_password — the password for this registry user 2-38 Oracle BPEL Process Manager Administrator’s Guide . At runtime. follow these procedures. Task 8: Securing the Client with Basic Authentication (Optional) If you want to secure the client side with basic authentication. Enable secure HTTP basic authentication by adding the following two properties to your bpel. you can verify that the service for RapidDistributors is invoked from the service endpoint retrieved from OracleAS Service Registry.xml file: <property name="registryServiceKey">uddi:e3955ac0-45a8-11db-9dd0-28bc5b509dce</property> The service key value was created in Step 6 on page 2-36. 1.Integrating Oracle BPEL Process Manager with the Oracle Application Server Service Registry 4. Task 7: Specifying the OracleAS Service Registry Service Key You now configure the service key value with the registryServiceKey property. Add the following registryServiceKey property to the partner link for RapidDistributors in the respective partnerLinkBinding section of the bpel.xml file in the respective partnerLinkBinding section. Expand the navigation tree and select the RapidDistributors service under the UDDI Registry.

xml file. All subsequent invocations of the service are performed successfully without error (after deployment).com|localhost| ser vices. Summary This chapter describes how to configure the identity service.net|*idc. The following error displays the first time the calling BPEL process invokes the registry published service.acme.us.idc.com|*.acme.com"/> Otherwise. the settings in that file overwrite the ones set in Oracle BPEL Control.proxyPort=80 -Dhttp. ■ A one-time binding fault occurs when OracleAS Service Registry is deployed on a remote Oracle Application Server SOA instance while the BPEL processes are deployed on another SOA instance of a different host.com/bpel/extension"><part name="code"><code>GenericError</code> </part><part name="summary"><summary>http_client transport doesn't support nonProxyHosts with wildcards</summary> </part></bindingFault> ■ If your WSDL URLs point to hosts using the DHCP communication protocol instead of static IP addresses.159. If they are also set in the bpel. <bindingFault xmlns="http://schemas.xmethods.nonProxyHosts=122.net|xmethods.proxyHost=www-proxy.106|*acmecorp.acme. Troubleshooting This section describes troubleshooting procedures for OracleAS Service Registry and Oracle BPEL Process Manager integration. Service Configuration 2-39 . ensure that you update the SOA_Oracle_ Home/opmn/conf/opmn. and notification service. you can receive deployment errors.com|dhcp-idc-towers-12239-159-106.39.com -Dhttp.Summary You can also set these properties at the domain level in Oracle BPEL Control under Manage BPEL Domain > Configuration (as you set the uddiLocation property). worklist service.xml file to include this information.oracle.oracle. For example: -Dhttp.

Summary 2-40 Oracle BPEL Process Manager Administrator’s Guide .

xml file Create system (demo) users and roles This section contains the following topics: ■ ■ ■ ■ ■ ■ ■ ■ Description of Oracle BPEL Process Manager Interfaces Implementing the Identity Service Plug-in Specifying the Service Factory Methods Specifying the Provider Configuration Implementing the BPMProvider Interface Deploying the Identity Service Plug-in Registering and Configuring the Identity Service for the Custom Plug-in Creating Users and Groups Description of Oracle BPEL Process Manager Interfaces Table 3–1 describes the available interfaces.3 Creating a Custom Identity Service Plug-in This chapter describes how to create a custom identity service plug-in to integrate into specific third-party repositories. Creating a Custom Identity Service Plug-in 3-1 . After you create a custom plug-in. you perform the following tasks: ■ ■ ■ ■ ■ Assemble all classes into a custom plug-in JAR file Deploy the JAR file Include the JAR file in the Oracle BPEL Process Manager classpath Configure the is_config. This chapter contains the following topics: ■ ■ Creating a Custom Identity Service Plug-in Summary Creating a Custom Identity Service Plug-in You can create a custom identity service plug-in to integrate into specific third-party repositories.

This enables users and groups that are granted these roles to perform all of the tasks related to the application. Roles are granted to users and groups of users. BPMUser This defines an Oracle BPEL Process Manager user. BPMAppRole instances must define a set of workflow BPMActivities that users can have. For any plug-in. BPMRole defines methods to find all users and roles that are granted a role. This defines an Oracle BPEL Process Manager group. You can use this interface for each of your custom repositories.http. This is a convenience interface.util. All users who belong to a user group are granted all of that group's privileges. this is the main class that is instantiated by the service factory. This represents an identity and defines the common methods for any identity in the Oracle BPEL Process Manager identity service. application roles are defined for tasks supported by an application. last name. BPMIdentity derives from the BPMPrincipal interface.Element. e-mail. This defines an Oracle BPEL Process Manager role. import java.*.servlet. Derived from BPMRole. package is. BPMAuthorizat This defines the Oracle BPEL Process Manager authorization service ionService provider interface.HttpServletRequest. The interface helps to localize all functionality required for repository access in implementing the interface class. This defines the set of methods and APIs that must be supported for any third-party repository. Derived from BPMRole. BPMRole BPMAppRole BPMGroup BPMIdentity BPMPrincipal BPMProvider See Also: The Javadoc for the different interfaces of the identity service located in SOA_Oracle_Home\bpel\docs\workflow Implementing the Identity Service Plug-in The entry point for identity service implementation is BPMIdentityService. Both BPMUser and BPMRole are derived from this interface. BPMGroup is a convenient way to assign rights and permissions to several users at one time. BPMAuthentica This defines the Oracle BPEL Process Manager authentication service tionService provider interface. import javax. This interface makes it possible to have one identity service implementation that can plug into different custom providers. a role itself can be granted to another role.plugin. This defines an Oracle BPEL Process Manager application role. import org.w3c. 3-2 Oracle BPEL Process Manager Administrator’s Guide . This interface extends the BPMAuthorizationService and BPMAuthenticationService interfaces.Creating a Custom Identity Service Plug-in Table 3–1 Interface Interfaces Description BPMIdentitySe This is the main interface defining the Oracle BPEL Process Manager rvice identity service.custom.dom. and so on). A user is identified by a logical name and has various associated attributes such as first name. Roles can be nested (that is. and so on. A role is defined as the permissions or privileges required by a user to perform the tasks related to their job. This defines the common set of methods and APIs for roles and users.

IDENTITYSERVICE_NAME_IS_NULL).*. BPMAuthorizationService #lookupUser(String) */ public BPMUser lookupUser(String userName) throws BPMIdentityException.common.services.getDefaultRealmName(). if(userName == null) throw new BPMIdentityException( PCExceptionIndex. if ( realmName == null ) { realmName = cfgSrv.Creating a Custom Identity Service Plug-in import oracle. CustomIdentityService service = new CustomIdentityService(providerCfg). } } … /** * @see oracle.getProviderCfg( ProviderCfg. } Configuration config = cfgSrv. ProviderCfg providerCfg = config.exception. getRealmName()}). BPMIdentityNotFoundException { Logger. BPMUser user = getProvider().IDENTITYSERVICE_USER_NOT_FOUND.pc.SERVICESCOMPONENT).identity. DiagnosticService.lookupUser(userName).tip.debugLog("CustomIdentityService::lookupUser() begin"). public class CustomIdentityService extends BPMServiceBase implements BPMIdentityService { /** * Constructor */ private CustomIdentityService(ProviderCfg provCfg) throws ServiceException { super(provCfg).getConfigurationInstance(realmName).debugLog("CustomIdentityService::lookupUser() end"). return user. import oracle.infra. } /** * Factory Method */ public static Service getInstance(String realmName) throws ServiceException { try { BPMIdentityConfigService cfgSrv = ServiceFactory. if(user==null) { throw new BPMIdentityNotFoundException( PCExceptionIndex.pc. import oracle.tip.pc.getIdentityConfigServiceInstance().services. } Creating a Custom Identity Service Plug-in 3-3 .IDENTITY_SERVICE).*. new String[] {userName.tip.identity.pc.tip. } ….services. } Logger. return service.*. } catch (Exception e) { throw new ServiceException(e.

You must implement the BPMAuthenticationService or BPMAutorizationService interface if the configuration specifies CUSTOM providerType for only the authentication or authorization service providers: <?xml version = '1.tip.identity.name. or BPMAuthorization interface can extend the oracle.com"> <provider providerType="CUSTOM" name="CustomPlugIn" service="Identity" class=”package.0' encoding = 'UTF-8'?> <ISConfiguration xmlns="http://www.com/pcbpel/identityservice/isconfig"> <configurations> <configuration realmName="jazn.BPMServiceBase class to leverage basic service functionality.com/pcbpel/identityservice/isconfig" <configurations <configuration realmName="jazn. only the authentication provider uses the custom implementation while all other inquiries use the JAZN XML-based provider.CustomAuthenticationService” / </configuration </configurations </ISConfiguration In the preceding example.CustomIdentityService”> <property name=”customProperty” value=”customValue” /> </configuration> </configurations> </ISConfiguration> All three service classes implementing the BPMIdentityService. then the BPMIdentityService interface must be implemented: <?xml version = '1.xml file specifies CUSTOM as the providerType for the identity service. Specifying the Service Factory Methods All custom service classes must have the static factory getInstance() method to create the instance of the service provider: public static Service getInstance(String realmName) throws ServiceException. The class CustomAuthenticationService must implement the BPMAuthenticationService interface.0' encoding = 'UTF-8'? <ISConfiguration xmlns="http://www. If the SOA_Oracle_Home\bpel\system\services\config\is_config.xml"/ </provider <provider providerType="CUSTOM name="CustomPlugIn" service="Authentication class=”package.com" <provider providerType="JAZN" name="xml" service="Identity" <property name="userPropertiesFile" value="users-properties.getIdentityConfigServiceInstance().getDefaultRealmName(). CustomIdentityService is a class that implements the BPMIdentityService interfaces.oracle. it assumes the default realm is used. String defaultRealmName = cfgService. You can get the default realm name by using the configuration service API: BPMIdentityConfigService cfgService = ServiceFactory.pc.name.oracle. 3-4 Oracle BPEL Process Manager Administrator’s Guide .Creating a Custom Identity Service Plug-in In the proceeding example. BPMAuthenticationService. The realmName is a context of the business process. If realmName is null.services.

which defines properties for a given configuration. getAutorizationServiceInstance(). The specific provider configuration can then be fetched: ProviderCfg providerCfg = conf.tip.getProviderCfg(serviceName).services.Creating a Custom Identity Service Plug-in The service factory oracle. getIdentityServiceInstance(). The service can then be created: CustomIdentityService service = new CustomIdentityService(providerCfg). the custom service classes must implement the init() method: public void init() throws BPMIdentityException { m_provider = CustomerProvider. These methods are used by Java clients to receive the instances of the corresponding services providers. The service factory methods create custom service instances at run time if the CUSTOM provider type is specified for the service. the service factory method must get an instance of the ProviderCfg class. getAuthenticationServiceInstance().service. These methods invoke the custom service getInstance(String realmName) API. If they do. m_status = new ServiceStatus(true. Creating a Custom Identity Service Plug-in 3-5 .pc. If the service provider class extends the oracle.AUTHENTICATION_SERVICE — for authentication service provider ProviderCfg.getConfigurationInstance(realmName).pc. -1.getInstance(m_providerCfg). getAuthorizationServiceInstance(String realmName). For example.common. "Service is available". where serviceName is one of the following values: ■ ■ ProviderCfg.AUTHORIZATION_SERVICE — for authorization service provider See Also: ■ Identity service configuration Javadoc located in SOA_Oracle_Home\bpel\docs\workflow Implementing the BPMProvider Interface The easiest way to write authentication and authorization services for a custom plug-in is to implement the BPMProvider interface for the custom repository.tip.ServiceFactory class defines the following public static methods: BPMIdentityService BPMAutorizationService BPMAuthenticationService BPMIdentityService BPMAutorizationService BPMAuthenticationService getIdentityServiceInstance(String realmName). All instances of the implementing object can delegate calls to the provider that is responsible for dealing with the repository-specific calls. getAuthenticationServiceInstance(String realmName).BPMServiceBase class. Specifying the Provider Configuration The BPMIdentityConfigService instance provides access to the Configuration object by the given realmName: Configuration conf = cfgService. The BPMProvider interface defines the minimum set of essential operations that must be defined over a custom repository for the identity service to function correctly.IDENTITY_SERVICE — for identity service provider ProviderCfg. the BPMServiceBase class is an abstract class that your service providers may extend.

with minor changes such as the name of the provider JAR file. The file must be located in a directory that is in the classpath of Oracle BPEL Process Manager.0' encoding = 'UTF-8'?> <ISConfiguration mlns="http://www.CustomIdentityService”> <property name="dataSource" value="jdbc/BPELSamplesDataSource"/> </provider> </configuration> </configurations> </ISConfiguration> The name attribute of the provider element can load the BPMProvider class.xml file in the SOA_Oracle_Home\j2ee\home\config directory: <library path="SOA_Oracle_Home\bpel\system\services\lib\isplugin. The custom property with the name dataSource gets the data source name for the JDBC connection. The library path must also point to the deployed JAR file. For example.oracle.com/pcbpel/identityservice/isconfig"> <configurations> <configuration realmName="realm"> <provider providerType="CUSTOM" service="Identity" name="package.jar must be added to the library path by adding the following lines to the application. and the JAR file deployed to the SOA_Oracle_ Home\services\lib directory.jar). The name attribute of the provider element is reserved for that purpose. you can load the provider class dynamically. isplugin. Optionally. it must be deployed to a location in the library path of Oracle BPEL Process Manager. By default. Registering and Configuring the Identity Service for the Custom Plug-in Identity service configuration in defined in the is_config. It stores the ServiceStatus object. CustomerProvider is a class that implements the BPMProvider interface.Creating a Custom Identity Service Plug-in } where m_provider is a protected member of the BPMServiceBase to reference the BPMProvider object. Deploying the Identity Service Plug-in For the workflow services to instantiate and invoke the plug-in. The following configuration file sample describes the database plug-in implemented as a custom provider for the identity service: <?xml version = '1. this file is stored in SOA_Oracle_Home\bpel\system\services\config.name.name. Get the provider class name for the CUSTOM providerType from the is_config.xml file.xml file. isplugin. The m_ status member is a protected member of the BPMServiceBase class. the classes assembled into a JAR file (for example.jar"/> The same deployment scheme can be used for any custom plug-in.CustomerProvider" class=”package. The plug-in code must be compiled. The class attribute defines the implementation class for BPMIdentityService. See Also: "Configuring the Identity Service" on page 2-1 for identity service configuration procedures 3-6 Oracle BPEL Process Manager Administrator’s Guide .

including the JAR file in the Oracle BPEL Process Manager classpath.Summary Creating Users and Groups The identity service does not define any of the administrative APIs. Details are provided for assembling all classes into a custom plug-in JAR file. configuring the is_config. including the creation of users and roles or the granting of roles to users. roles. deploying the JAR file. and groups Summary This chapter describes how to create a custom identity service plug-in to integrate into specific third-party repositories. "Demo User Community" for details about users. and creating system users and groups. See Also: Appendix A. You must use tools specific to the user repository to accomplish this task.xml file. Creating a Custom Identity Service Plug-in 3-7 .

Summary 3-8 Oracle BPEL Process Manager Administrator’s Guide .

access information on HTTP requests.xml in the SOA_Oracle_ Home\bpel\system\config directory ■ Configuring and Viewing BPEL Process Logs 4-1 . Make this change in the log4j-config. warning messages. This chapter contains the following topics: ■ ■ ■ ■ ■ ■ ■ Logging Overview Domain Level Logging System Level Logging System and Domain Level Logging Examples Logging with Sensors Logging with bpelx:exec in a Java Embedding Activity Summary Logging Overview Oracle BPEL Process Manager uses the log4j tool to generate log files containing messages that describe startup and shutdown information. you must change the appender format of the messages written to log files. and additional information. The log4j tool enables logging at runtime without modifying the application binary. Instead.4 Configuring and Viewing BPEL Process Logs This chapter describes how to configure Oracle BPEL Process Manager logging levels and view logging results. errors.xml file.xml in the SOA_Oracle_ Home\bpel\domains\domain_name\config directory For system level logging. change log4j-config. which is located in the following directories: ■ For domain level logging. To do this. logging behavior is controlled by editing properties in Oracle BPEL Control and Oracle BPEL Admin Console. change log4j-config. Two logging levels are supported in Oracle BPEL Process Manager: ■ ■ Domain — Manages logging information within specific domains System — Manages logging information on a system-wide level The default format of log files created by log4j cannot be read by the log loader and written to the log repository in Oracle Enterprise Manager 10g Application Server Control Console.

apache.Domain Level Logging See Also: ■ "Configuring Logging for Application Server Control" of Oracle Application Server Administrator’s Guide for details about changing the appender format for log files in Oracle Enterprise Manager 10g Application Server Control Console http://logging. The domain log files are located in SOA_Oracle_Home\bpel\domains\domain_name\logs. Select Manage BPEL Domain > Logging. 2. 3. Select the domain for which to set domain logging levels from the list in the upper right corner.Oracle_Home > Oracle BPEL Process Manager > BPEL Control Going to the following URL: http://localhost:port/BPELConsole ■ where port is: – – 8888 if you installed Oracle BPEL Process Manager from the Oracle Application Server SOA software CD. 9700 if you installed the Oracle BPEL Process Manager for Developers or Oracle BPEL Process Manager for OracleAS Middle Tier install type from the Oracle BPEL Process Manager software CD. You set domain logging levels in Oracle BPEL Control.org/log4j/docs for details about log4j Oracle Process Manager and Notification Server Administrator’s Guide for details about Oracle Process Manager and Notification Server (OPMN) log files located in SOA_Oracle_Home\opmn\logs ■ ■ Domain Level Logging Domain logging enables you to log and troubleshoot issues for a specific BPEL domain. Enter the oc4jadmin user name and password when prompted. Follow these procedures to set domain logging levels. 4-2 Oracle BPEL Process Manager Administrator’s Guide . Access Oracle BPEL Control through one of the following methods: ■ Selecting Start > All Programs > Oracle . 4. 1. The Logging window appears.

Enables all logging. When a logging level is specified. an administrator-supplied configuration parameter is incorrect and you default to using a hard-coded value). 5. Logs debugging messages that should not be printed when the application is in a production environment.cube. Warn Info Debug All The lower part of the Logging window displays the types of loggers you can set. This selection is the lowest priority.cube domain_name..Domain Level Logging The following logging levels are available and listed here from highest priority to lowest priority.collaxa. Logs application error messages to a log. all messages with a lower priority level than the one selected are ignored.activation domain_name. After logging occurs.. This selection is the highest priority.collaxa.cube.collaxa.collaxa. Logging Level Off Fatal Error This Selection. Logger Name domain_name. Logs messages in a format similar to the verbose mode of many applications.cube. the application continues to run (for example.reports Description General BPEL logging (system) Activation agent logging (inbound adapters) BPEL unit test logging Oracle BPEL Control reports logging Configuring and Viewing BPEL Process Logs 4-3 . Disables logging.console.bpeltest domain_name. Logs critical messages. Logs warning messages to a log. the application quits abnormally. Review the levels and descriptions. the application continues to run without problems.

SOAP.engine.transaction domain_name.Domain Level Logging Logger Name domain_name.log file located in SOA_Oracle_ Home\bpel\domains\domain_name\logs. Review the domain. each executed BPEL activity logs messages. 7. Archiving is not supported in 10.cube.cube.delivery domain_name.collaxa.security domain_name.collaxa.3.sensor domain_name.collaxa.collaxa.oracle. Select a level from the Logging Level list for a specific logger name or select a single level for all logger names from the Change All list.archive domain_name.engine.bpel.collaxa. and adapters).cube.cube.xml domain_name. If enabled.translation Description XML message logging Internal agent framework logging (for example.3 releases.collaxa. Rerun the process to collect logging data. 8. This logger is not used in 10.collaxa.engine. expiration agents) JAR file archive deployment logging in pre-10. WSIF layer (inbound and outbound).ws domain_name. Note: These parameters can also be configured by editing log4j-config.engine.cube. 9. and XML documents (BPEL variables) logging Inside validator logging domain_name.bpel domain_name.engine.cube.cube. notifications or human workflow) Adapter translation layer logging (the transformation between adapter protocol and inbound XML documents) Communication-related logging (for example.cube.3.dispatch domain_name.cube.collaxa.collaxa.security 6.cube.engine.agents domain_name.messaging domain_name.services domain_name.cube.cube.engine.data domain_name. 4-4 Oracle BPEL Process Manager Administrator’s Guide .cube. Persistence and dehydration layer logging Delivery service and manager logging.cube.1.collaxa.deployment domain_name.cube.cube. this logger is responsible for callbacks and initiating delivery Deployment of BPEL suitcases logging Asynchronous message logging Transaction-related logging of the execution of process steps.engine domain_name.1. Messaging layer logging (as Oracle BPEL Process Manager uses messaging services for scaling) Server-side security logging (message header authentication layer) Sensor publisher layer logging Services logging (for example. Click Apply. BPEL process logging.collaxa. XPath. XML processing and transformation.engine.1.xml in the SOA_Oracle_ Home\bpel\domains\domain_name\config directory.collaxa.collaxa.collaxa.collaxa.collaxa.

thirdparty.enterprise AXIS-related logging org.System Level Logging System Level Logging System level logging is provided for infrastructure. Click Apply. Logger Name collaxa collaxa.apache. 5. 1. The logging levels that display are the same as those described in Step 4 on page 4-3.cube.cube.collaxa.wsif org.jgroups org.cube. The Logging window appears.collaxa.logging org. 2.apache. Select a level from the Logging Level list for a specific logger name or select a single level for all logger names from the Change All list. The lower part of the Logging window displays the types of loggers you can set. 3. Enter the oc4jadmin user name and password when prompted.thirdparty. 7.transport org. You set system logging levels in Oracle BPEL Admin Console.collaxa. Follow these procedures to set system logging levels.cluster collaxa. AXIS.wsif.thirdparty. Access Oracle BPEL Admin Console: http://localhost:port/BPELAdmin where port is: – – 8888 if you installed Oracle BPEL Process Manager from the Oracle Application Server SOA software CD.collaxa.apache.thirdparty. The system log files are located in SOA_Oracle_Home\bpel\system\logs.axis.thirdparty.apache. 6.collaxa.thirdparty.quartz wsif 4.infrastructure collaxa.axis Description General Oracle BPEL Process Manager logging Cluster-related logging Infrastructure logging issues such as database connectors All Oracle BPEL Process Manager service logging General AXIS-related logging org. Configuring and Viewing BPEL Process Logs 4-5 .services org.apache. Axis-related logging (to see what AXIS is sending over the network) System-wide WSIF logging. 9700 if you installed the Oracle BPEL Process Manager for Developers or Oracle BPEL Process Manager for OracleAS Middle Tier install type from the Oracle BPEL Process Manager software CD.collaxa. Click Logging. WSIF logging JGroups related-logging Quartz scheduler-related logging WSIF logging Review the levels and descriptions.axis. Rerun the process to collect logging data. and WSIF issues.

collaxa. Check the following loggers: ■ ■ domain_name.apache.thirdparty.thirdparty. Check the following loggers: ■ domain_name.xml in the SOA_Oracle_ Home\bpel\system\config directory. but the e-mail does not arrive at the intended location.services — to see what occurred during delivery attempt 4-6 Oracle BPEL Process Manager Administrator’s Guide . Example 1: Process Invokes an External Web Service Your process invokes an external Web service.delivery — to see what the delivery handler does.cube. Review the orabpel.log file located in SOA_Oracle_ Home\bpel\system\logs.engine. or waits forever).apache. and if a message is retrieved that can be correlated ■ Example 4: Process Sends a Notification Your process sends a notification through an e-mail activity.thirdparty.collaxa.ws — to see if something went wrong before sending org.collaxa.apache.cube.cube.ws — to see the complete stack org.axis and org.axis and org.axis. System and Domain Level Logging Examples This section provides examples of the logger names to set to the Debug logging level to troubleshoot problems.apache.collaxa.thirdparty. Note: These parameters can also be configured by editing log4j-config. Check the following loggers: ■ ■ domain_name.apache.cube.System and Domain Level Logging Examples 8.collaxa.wsif — to examine the WSIF portion that performs the real invocation Example 3: Process Invokes an Asynchronous Service Your process invokes an asynchronous service and never receives a callback (it times out.collaxa.transport — to see what is currently being sent ■ Example 2: Java Class Invoked through WSIF Binding A Java class is invoked through WSIF binding and a binding fault occurs.cube.collaxa.ws — this is related to the outbound direction org.thirdparty. and the data retrieved by the Web service is incorrect. Check the following logger: ■ domain_name.axis.transport — to see what was sent and to see the outgoing WSA header needed for correlation domain_name.collaxa.collaxa.collaxa.

To do this. The method addAuditTrailEntry(String):void enables you to add an entry to the audit trail. you can create a sensor on an invoke activity and create a message that is sent to a JMS queue. You add sensors to specific activities and then extract data from variables. Configuring and Viewing BPEL Process Logs 4-7 . you must implement a custom sensor publishing action to do the log4j logging.Summary Logging with Sensors You can use sensors to generate application logging activity. See Also: Oracle BPEL Process Manager Developer’s Guide for details about sensors Logging with bpelx:exec in a Java Embedding Activity You can also log messages by adding custom Java code to a BPEL process using the Java BPEL exec extension bpelx:exec inside a Java Embedding activity in Oracle JDeveloper. Note that logging with sensors impacts performance because sensor data objects are built even when logging is disabled. Alternative methods for generating logging information (with sensors and with bpelx:exec) are also described. For example. Examples of logger names to set in order to view troubleshooting information are provided. Summary This chapter describes how to configure and view BPEL process logs at the domain and system levels.

Summary 4-8 Oracle BPEL Process Manager Administrator’s Guide .

A Demo User Community This appendix describes the demo user community for task assignments in Oracle BPEL Process Manager. "Service Configuration" Oracle BPEL Process Manager Developer’s Guide Oracle Containers for J2EE Configuration and Administration Guide Oracle Containers for J2EE Security Guide Oracle Containers for J2EE Services Guide Demo Users and Roles For the LDAP-based JAZN provider (Oracle Internet Directory). bpeladmin. See "Demo Users and Roles" on page A-1 for a list of users and roles seeded with the product. The default password is welcome1 for all LDAP-based JAZN providers (Oracle Internet Directory. Sun Directory Server. and default) Demo users (see Table A–1) Application roles (see Table A–2) Enterprise groups (see Table A–3) Demo role and group owners (see Table A–4) Demo User Community A-1 . See Also: ■ ■ ■ ■ ■ Chapter 2.com. users are seeded under the realm you select when prompted during BPEL Process Manager for OracleAS Middle Tier installation. For the XML-based JAZN provider. and so on) and for the XML-based JAZN provider. guest. This appendix contains the following topics: ■ ■ Setting Up JAZN Demo Users Summary Setting Up JAZN Demo Users Demo users are included with Oracle BPEL Process Manager. The Oracle BPEL Process Manager demo community includes: ■ ■ ■ ■ ■ System users (oc4jadmin. Active Directory. the Oracle BPEL Process Manager demo community is defined under the default realm jazn.

oracle.oracle.com user1@dlsun1313.Setting Up JAZN Demo Users The seventeen Oracle BPEL Process Manager demo users and demo role owners are shown in Table A–1.com user4@dlsun1313.com user2@dlsun1313.com user4@dlsun1313.us .oracle.oracle.oracle. guest.us .com user3@dlsun1313.com user3@dlsun1313.us .oracle.com user2@dlsun1313.oracle.us .oracle.us .us .com cdickens Charles cdoyle fkafka istone jausten jcooper jlondon jstein ltolsoy mmitch mtwain rsteven Conan Franz Irving Jane James Jack John Leo Margaret Mark Robert sfitzger Scott szweig wfaulk wshake Stefan William William Shakespeare Loan Consultant Notes: ■ The system users (oc4jadmin.oracle.com user1@dlsun1313.us .us . and default) are also part of the demo user community shown in Table A–1.oracle. All users have the languagePreference property defined as en-US (U.S.com user3@dlsun1313. English) and the notificationPreference property set to Mail.oracle.us .com user3@dlsun1313.com user3@dlsun1313. bpeladmin.com user2@dlsun1313.com user3@dlsun1313.us .oracle.oracle.us . Table A–1 User Name 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 achrist Demo User Community First Name Middle Name Last Name Agatha ----------Munnerlyn -Louis ----Christie Dickens Doyle Kafka Stone Austen Cooper London Steinbeck Tolstoy Mitchell Twain Stevenson Fitzgerald Zweig Faulkner Title Loan Consultant CEO Loan Agent 2 Manager 1 Loan Agent 2 Loan Consultant Loan Agent 1 Loan Agent 1 Manager 2 Director Loan Analyst Loan Agent 2 Manager 3 Manager 1 Loan Analyst Vice President Manager sfitzger -rsteven ltolsoy sfitzger fkafka jstein sfitzger wfaulk wfaulk fkafka jstein jstein wfaulk fkafka cdickens rsteven E-mail user3@dlsun1313.us .us .com user1@dlsun1313.oracle.us .oracle.oracle.us .us .oracle. ■ A-2 Oracle BPEL Process Manager Administrator’s Guide .us .com user4@dlsun1313.com user3@dlsun1313.

fkafka. szweig. bpeladmin BPMWorkflowSuspend -- BPMWorkflowAdmin BPMWorkflowViewHistory jcooper. istone BPMDefaultDomainAdmin -- -- BPMWorkflowAdmin. fkafka. sfitzger. wshake. wfaulk. bpeladmin oc4jadmin. bpeladmin BPMWorkflowReassign jstein.Setting Up JAZN Demo Users Table A–2 and Table A–3 list the Oracle BPEL Process Manager application roles and enterprise groups for the users shown in Table A–1. BPMWorkflowViewHistory. rule-administrators BPMWorkflowSuspend. jstein. oc4jadmin. BPMAnalyst. mmitch. BPMAnalyst. oc4jadmin. rule-administrators -BPMWorkflowAdmin BPMWorkflowAdmin -- oc4jadmin. cdoyle. wfaulk. BPMWorkflowAdmin. BPMSystemAdmin BPMWorkflowReassign. RegionalOffices default -- BPMSystemAdmin See Also: ■ "Oracle BPEL Control and Oracle BPEL Admin Console Users and Roles" on page 1-22 for additional details about the BPMDefaultDomainAdmin role The "Oracle BPEL Process Manager Workflow Services" chapter of Oracle BPEL Process Manager Developer’s Guide for additional details about other roles listed in Table A–2 ■ Demo User Community A-3 . mmitch. jlondon. -BPMWorkflowReassign. Table A–2 Role BPMAnalyst Oracle BPEL Process Manager Application Roles Demo Users System in Role Users in Role Granted Roles sfitzger. wfaulk. sfitzger. EasternRegion BPMSystemAdmin oc4jadmin. BPMDefaultDomainAdmin. mtwain. BPMWorkflowViewHistory. bpeladmin -Direct Role/Group Grantee to Role BPMWorkflowAdmin. wshake -default. guest. bpeladmin oc4jadmin. jstein. szweig. bpeladmin BPMWorkflowSuspend.

WesternRegion EasternRegion BPMAnalyst. WesternRegion. szweig. BPMWorkflowViewHistory RegionalOffices. sfitzger. -BPMWorkflowViewHistory RegionalOffices. default. cdoyle. mmitch.Setting Up JAZN Demo Users Table A–3 Oracle BPEL Process Manager Enterprise Groups Demo Users in Group System Users in Role Direct Role and Group Grantee to Group --LoanAnalyticGroup Group Supervisor Granted Roles and Group -LoanAgentGroup -- jcooper. szweig. istone. mmitch. szweig. The user can own the group directly or indirectly. mmitch -- RegionalOffices BPMWorkflowViewHistory EasternRegion. Table A–4 shows the list of roles and groups with owners. fkafka. cdoyle. fkafka. wshake. jcooper. CentralRegion. BPMAnalyst Supervisor California WesternRegion jstein fkafka jstein A-4 Oracle BPEL Process Manager Administrator’s Guide . mtwain. -RegionalOffices. wshake bpeladmin. mtwain. fkafka. oc4jadmin. jstein. jcooper. which is implicitly granted to all registered Oracle BPEL Process Manager users. default. szweig jlondon. BPMWorkflowViewHistory CentralRegion WesternRegion California jlondon. szweig. mmitch. The workflow rules for groups and roles can be created by users who are either the group owner or have the BPMWorkflowAdmin role. Table A–4 Role/Group LoanAnalyticGroup Oracle BPEL Process Manager Demo Role and Group Owners Direct Owners jstein. -istone istone. wfaulk jstein fkafka jstein LoanAgentGroup fkafka. The user owns the group and role indirectly if they are a grantee for another role and group that owns the role and group. oc4jadmin. mtwain. wshake. BPMAnalyst Owners bpeladmin. mtwain -cdoyle. -jcooper. -rsteven -- LoanAnalyticGroup fkafka. jcooper. fkafka. guest. California BPMWorkflowViewHistory -RegionalOffices. guest. wshake. mmitch LoanAgentGroup jlondon. sfitzger. jstein. fkafka. szweig wshake. jcooper -- Oracle BPEL Process Manager declares the role PUBLIC. istone. -jcooper. mmitch. The bpeladmin system user owns the BPMWorkflowAdmin role.

LoanAgentGroup bpeladmin Owners jstein cdoyle. mtwain. wshake bpeladmin BPMWorkflowAdmin Note: Every demo community user who belongs to the BPMAnalyst role is an indirect owner of the LoanAgentGroup and LoanAnalyticGroup roles. Every user who belongs to the LoanAgentGroup is an indirect owner of the BPMAnalyst role. fkafka. jlondon. szweig. sfitzger. istone. mmitch. Figure A–1 Demo Users Organizational Hierarchy CEO Charles Dickens Cdickens Vice President William Faulkner Wfaulk Manager1 Scott Fitzgerald sfitzger Manager2 John Steinbeck jstein Director Leo Tolstoy ltolstoy Manager1 Franz Kafka fkafka Loan Agent1 Jack London jlondon Loan Agent2 Irving Stone istone Loan Consultant Agatha Christie achrist Loan Analyst Stefan Zweig szweig Loan Analyst Margaret Munnerlyn Mitchell mmitch Loan Consultant Jane Austin jausten Manager3 Robert Louis Stevenson rsteven Loan Agent1 Loan Agent2 Loan Agent2 Loan Consultant James Cooper jcooper Mark Twain mtwain Conan Doyle cdoyle William Shakespeare wshake Demo User Community A-5 . jcooper.) Oracle BPEL Process Manager Demo Role and Group Owners Role/Group EasternRegion BPMAnalyst Direct Owners jstein jstein. jcooper.Setting Up JAZN Demo Users Table A–4 (Cont. Figure A–1 shows the organizational hierarchy of the demo users. jstein.

As shown in Table A–1. Assign a task to a group named Supervisor. you assign a group of users to a task in the Human Task editor. See: Oracle BPEL Process Manager Order Booking Tutorial for instructions on performing these tasks Summary This appendix describes the demo user community for task assignments in Oracle BPEL Process Manager. the supervisor of jcooper is jstein. jstein (the supervisor of jcooper) must also review this task. Select 1 for the number of levels in the management chain to sequentially review this task. You then log in as jstein and approve the task. Because you specified 1 as the number of levels in the management chain to sequentially review this task. When using this editor. and approve it. you perform the following tasks: ■ Select Management Chain as the participant type. ■ ■ When the BPEL process is deployed. you log in to the Oracle BPEL Worklist Application with the user jcooper. A-6 Oracle BPEL Process Manager Administrator’s Guide . acquire the task. In this tutorial. which enables a chain of management to sequentially review the task.Summary Using the Demo User Community in the Order Booking Tutorial The OrderBooking tutorial provides an example in which you use the demo user community.

Index
A
actionableEmailAccountName configuration, 2-27 Active Directory configuration, 2-15 Admintool for creating realms, users, and roles, 2-7 application roles, A-3 assigneeDelimiter configuration, 2-28 authentication BPMAuthenticationService, 3-2 definition, 1-3 NULL authentication required with Oracle Internet Directory, 2-13 service provider, 2-3 through identity service, 2-1 authorization BPMAuthorizationService, 3-2 definition, 1-3 Oracle Web Services Manager, 1-29 through identity service, 2-1 Axis services with custom authentication handlers basicHeaders, 1-20 basicPassword, 1-20 basicUsername, 1-20 invoking secured services, 1-20 definitions, 1-4 .bpel_TaskActionHandler_1.0.jar deleting, 1-7 .bpel_TaskManager_1.0.jar deleting, 1-7 bpeladmin owner of BPMWorkflowAdmin role, A-4 part of demo user community, A-2 system user in role, A-3 user account, 1-22, A-1, A-2 with BPMSystemAdmin role, 1-22 bpelx:exec logging, 4-7 bpel.xml file, 1-19 BPMAnalyst role, A-3 role members directly own LoanAgentGroup and LoanAnalyticGroup, A-5 BPMAppRole interface description, 3-2 BPMAuthenticationService interface description, 3-2 BPMAuthorizationService interface description, 3-2 BPMDefaultDomainAdmin definition, 1-22 granting, 1-23 role, A-3 BPMGroup interface description, 3-2 BPMIdentity interface description, 3-2 BPMIdentityService interface description, 3-2 BPMPrincipal interface description, 3-2 BPMProvider interface description, 3-2 BPMRole interface description, 3-2 BPMSystemAdmin definition, 1-22 granting, 1-23 role, A-3 BPMUser interface description, 3-2

B
basicHeaders Axis services with custom authentication handlers, 1-20 basicPassword Axis services with custom authentication handlers, 1-20 basicUsername Axis services with custom authentication handlers, 1-20 BPEL processes securing, 1-5 using J2EE basic authentication, 1-8 using native BPEL security extensions, 1-10 using SSL for certificate-based authentication, BPEL security extensions

1-6

Index-1

BPMWorkflowAdmin creating workflow rules for groups, A-4 owned by bpeladmin user account, A-4 role, A-3 BPMWorkflowReassign role, A-3 BPMWorkflowSuspend role, A-3 BPMWorkflowViewHistory role, A-3

editing the log4j-config.xml file, 4-4 examples, 4-6 logger names, 4-3 setting logging values, 4-3 domain level security, 1-11 domain log files location of, 4-1, 4-2, 4-4 domains default, 1-22

C
cacerts file, 1-16, 1-17 California, A-4 group, A-4 CentralRegion group, A-4 configure_oid file configuring Oracle Internet Directory 10.1.2 with identity service 10.1.3.1.0, 2-10 connection element of identity service configuration file, 2-4 connection pool identity service properties, 2-4 custom identity service plug-in BPMAppRole interface, 3-2 BPMAuthenticationService interface, 3-2 BPMAuthorizationService interface, 3-2 BPMGroup interface, 3-2 BPMIdentity interface, 3-2 BPMIdentityService interface, 3-2 BPMPrincipal interface, 3-2 BPMProvider interface, 3-2 BPMRole interface, 3-2 BPMUser interface, 3-2 creating, 3-1 description of interfaces, 3-1 implementing, 3-2 repository example, 2-19

E
EasternRegion group, A-4 e-mail server configuring, 2-20 e-mail service ns_emails.xml file example, 2-22 encryption definition, 1-4 Oracle Web Services Manager, 1-29 enterprise groups, A-4 examples of system and domain level logging, 4-6

F
fax ns_faxcoverpages.xml file example, 2-24 fax wireless provider configuring fax cover pages, 2-24

G
group ownership setting up, 2-19, 2-20 groups California, A-4 CentralRegion, A-4 EasternRegion, A-4 enterprise groups, A-4 LoanAgentGroup, A-4 LoanAnalyticGroup, A-4 RegionalOffices, A-4 Supervisor, A-4 WesternRegion, A-4 guest part of demo user community, A-2 system user in role, A-3 user account, A-1, A-2

D
default domain, 1-22 part of demo user community, A-2 system user in role, A-3 user account, 1-22, A-1, A-2 with BPMDefaultDomainAdmin role, 1-22 demo community definition, A-1 example of use, A-6 for Oracle BPEL Process Manager, A-1 organizational hierarchy of members, A-5 roles, A-3 users, A-2 digital signatures definition, 1-4 Oracle Web Services Manager, 1-29 domain level logs

H
HTTP basic authentication httpPassword, 1-21 httpUsername, 1-20 invoking secured services, 1-20 HTTP binding invoking secured services, 1-21 native BPEL security extensions, 1-13 HTTP proxy server

Index-2

invoking a partner link, 1-28 httpPassword HTTP basic authentication, 1-21 httpUsername HTTP basic authentication, 1-20

I
identity service BPMAppRole interface, 3-2 BPMAuthenticationService interface, 3-2 BPMAuthorizationService interface, 3-2 BPMGroup interface, 3-2 BPMIdentity interface, 3-2 BPMIdentityService interface, 3-2 BPMPrincipal interface, 3-2 BPMProvider interface, 3-2 BPMRole interface, 3-2 BPMUser interface, 3-2 configuring 10.1.3.1.0 with 10.1.2 Oracle Internet Directory, 2-7 connection element, 2-4 connection pool properties, 2-4 custom plug-in configuration, 2-19 definition, 2-1 multiple service providers, 2-3 roles, 2-1 structure of identity service configuration file, 2-1 use with JAZN, 2-1 userControls and roleControl elements, 2-5 users, 2-1 inbound supported security methods, 1-1 inbound security definition, 1-1, 1-5 interfaces for custom identity service plug-ins, 3-1 is_config.xml file connection element, 2-4 identity service configuration file, 2-1 location of, 2-1 location of XML schema file for, 2-1 provider element, 2-2 roleControls element, 2-5 userControls element, 2-5

with, 1-22 Java and EJB binding invoking secured services, 1-21 Java API native BPEL security extensions, 1-13 Javadoc location of identity service Javadoc, 3-2, 3-5 JAZN demo users, A-1 LDAP-based provider configuration, 2-7 roles, A-1 setting up users, A-1 used with identity service, 2-1 XML-based provider configuration, 2-6 JAZN Admintool for creating realms, users, and roles, 2-7 jazn-data.xml file, 1-9 defining the JAZN element, 2-6 jssecacerts file, 1-16

K
keystore, 1-17 keytool running, 1-16

L
LDAP Oracle Internet Directory provider type, A-1 password for Oracle Internet Directory provider type, A-1 LDAP server third-party configuration, 2-15 LDAP-based JAZN provider configuration, 2-7 LoanAgentGroup, A-4 group, A-4 LoanAnalyticGroup, A-4 group, A-4 log files format, 4-1 location of OPMN log files, 4-2 log4j overview, 4-1 log4j-config.xml file editing domain level log values, 4-4 editing system level log values, 4-6 logger names domain level logs, 4-3 system level logs, 4-5 logging domain level, 4-1, 4-2 format of log files, 4-1 levels, 4-1, 4-3 location of domain log files, 4-1 location of system log files, 4-1 log4j, 4-1 overview, 4-1 performance implications of logging with

J
J2EE basic authentication for BPEL processes, 1-8 Oracle BPEL Process Manager for Developers, 1-9 Oracle BPEL Process Manager for OracleAS Middle Tier, 1-9 J2EE basic authentication protected services (HTTP) HTTP basic authentication, 1-20 HTTP binding, 1-21 invoking secured services, 1-20 JAAS security features Oracle BPEL Process Manager integrated

Index-3

2-8 configuring 10. 2-31 deploying Web services. 1-12 multiple service providers identity service support. 2-22 XML elements.xml file example. 2-25 XML elements.0. 2-24 configuring the SMS wireless provider. 4-3 warn. 2-23 2-23 O OC4J instances configuring. 1-7 Oracle Internet Directory associating with an Oracle Application Server instance. A-3 user account. A-2 OPMN log files location of. 2-22 configuring the pager wireless provider. 2-38 Oracle BPEL Admin Console setting system level log values. 2-22 notification service configuring. 4-5 system level. 4-3 fatal. 4-7 logging levels all. 1-22 integrating with Oracle Application Server Service Registry. 1-22 includes BPMSystemAdmin role. 2-37 creating a connection to the UDDI registry.1. 2-24 registering the pluggable notification service. 4-3 info. 2-24 configuring the notification mode. 2-7 M message-handlers. 2-36 specifying the registry service key. 4-2 Oracle Application Server Service Registry configuring. 2-24 ns_iasconfig. 4-5 user accounts. 2-36 user accounts. 2-30 Oracle BPEL Process Manager for OracleAS Middle Tier certificate-based authentication for Oracle BPEL Server. 4-3 off. 1-13 Java API. 1-13 notification mode configuring. 1-22 Oracle BPEL Process Manager integrated with Oracle Applications Server J2EE and JAAS security features.1. 2-24 Index-4 . 4-5 with bpelx:exec. 2-20 ns_faxcoverpages. 2-20 example.xml file configuring. 2-30 OC4J instance requirements. 4-3 error. 4-7 setting domain level values in Oracle BPEL Control. 1-22 Oracle BPEL Control setting domain level log values. 2-31 integrating with Oracle BPEL Process Manager. 4-7 with sensors.xml file configuring fax cover pages. 4-3 specifying the registry service inquiry URL. 1-11 for BPEL processes.1. 2-35 securing the client with basic authentication. ns_iaswconfig.xml file. 2-20 configuring the e-mail server. 2-20 notifications configuring fax cover pages. 2-24 configuring the pluggable notification service. 2-23. 2-31 configuring a partner link. 2-38 specifying the registry service inquiry URL. 1-10 HTTP binding. 2-34 installing. 2-24 ns_emails. 1-22 part of demo user community. 4-3 logging performance implications. 2-31 requirements. 2-23 implementing the pluggable notification service. 1-7 certificate-based authentication with Oracle Wallet Manager. 2-31 publishing a service and adding bindings. A-1. 4-3 debug. 2-20 configuring the fax wireless provider. A-2 system user in role. 4-1. 4-3 description.2 with identity service 10. 4-3 setting system level values in Oracle BPEL Admin Console. 2-31 creating a second instance. 2-37 creating a second OC4J instance.sensors. 2-24 configuring the voice wireless provider. 2-31 oc4jadmin for creating application server connections in Oracle JDeveloper.xml file configuring. 1-13 SOAP over HTTP binding.3. 2-3 N native BPEL security extensions domain and process lever security. 1-7 Oracle BPEL Server enabling certificate-based authentication for Oracle BPEL Process Manager for OracleAS Middle Tier. 4-7 XML elements for voice.

2-38 roleControls element of identity service configuration file. 1-29 encryption. 1-17 HTTP/S with partner link and Oracle BPEL Server client certificate authentication. 1-20 custom validator. 1-26 default validator. A-4 registry service inquiry URL specifying. 1-8 Oracle BPEL Process Manager for OracleAS Middle Tier. 1-7 situations when not to use. 2-36 registry service key Index-5 . 1-29 security features of. 2-13 Oracle Wallet Manager cannot use the default certificate with Oracle BPEL Process Manager for OracleAS Middle Tier. 1-1 outbound security definition. A-3 BPMWorkflowSuspend. A-4 pushbackAssignee configuration. 2-13 performing configuration tasks. 1-20 Java and EJB binding. A-1 XML-based (JAZN) provider type. 2-2 proxy server invoking a partner link. 2-24 partner links configuring a connection to the UDDI registry. 1-11 provider element of identity service configuration file. 1-4 secured services Axis services with custom authentication handlers. 2-5 secure socket layer (SSL) certificate-based authentication for BPEL processes. A-3 BPMDefaultDomainAdmin. 2-13 troubleshooting. 1-29 digital signatures. 1-16 Oracle Web Services Manager authorization. A-3 BPMWorkflowViewHistory. A-1 pluggable notification service configuring. 1-21 using SSL for certificate-based authentication. 1-14 P pager wireless provider configuring. A-4 granting. 1-23 owners of. 1-28 outbound supported security methods. 2-24 implementing. A-3 with Oracle BPEL Process Manager. 1-6 Oracle BPEL Process Manager for Developers. 1-17 runtime. 1-28 PUBLIC role implicitly granted. 1-6 certificate-based authentication for invoking secured services. 1-1 invoking secured services. 1-22 S search attribute in userControls and roleControls elements. 1-14 J2EE basic authentication protected services (HTTP). 1-15 design time. 2-37 invoking a partner Web service through a proxy server. 1-7 enabling certificate-based authentication for Oracle BPEL Process Manager for OracleAS Middle Tier. 1-18 HTTP/S with partner link server certificate authentication. 1-15 WS-Security-compliant services. 1-1. 1-23 process level security. 2-24 registering. 1-20 invoking. 1-18 security Axis services with custom authentication handlers. 2-25 privileges granting. A-3 BPMWorkflowReassign. 2-5 roleControls Element function description. A-4 predefined by identity service. A-3 BPMWorkflowAdmin. 1-25 inbound methods supported. 2-5 search attributes. 1-17 definition. 2-27 R RegionalOffices group. A-3 direct owners of. A-3 demo community users in roles. 2-5 roles BPMAnalyst. A-3 BPMSystemAdmin. 2-14 testing the configuration. 1-28 passwords LDAP-based (Oracle Internet Directory) provider type. 2-10 preconfiguration tasks.configuring to use SSL. 2-1 system users in roles. 2-7 reverting to the XML-based JAZN provider. 1-14 specifying.

1-25 overview. 2-19 setting up for JAZN LDAP-based providers. A-4 group. 2-27 user ruleRepositoryInfo configuration. A-4 system level logs editing the log4j-config. 1-21 native BPEL security extensions. 1-10 outbound methods supported.xml file example. 1-22 for creating application server connections in Oracle JDeveloper. 1-1 overview. 2-27 WS-Security definition.xml file. 1-3 WS-Security-compliant services T taskAutoReleaseConfigurations configuration. 4-7 service key specifying. 2-29 workflowServiceSessionTimeoutInMinutes configuration. 1-20 Java and EJB binding. 1-19 SOAP over HTTP binding native BPEL security extensions. A-1. 2-5 search attributes. A-4 wf_config. 4-5. 2-27 assigneeDelimiter configuration. 1-22 userControls element. 1-8 J2EE basic authentication protected services (HTTP). 2-1 bpeladmin. 2-27 workflowServiceSessionTimeoutInMinutes configuration. 2-19 workflow service actionableEmailAccountName configuration. 1-22 Index-6 . 2-38 shortHistoryActions configuration. 1-6. 1-26 default. 2-28 taskAutoReleaseConfigurations configuration. 1-10 WesternRegion. 2-29 user accounts for accessing Oracle BPEL Control. 2-6 users automatically created. 1-25 voice service ns_iaswconfig. 2-29 worklistApplicationURL configuration. 2-37 integrating with Oracle BPEL Process Manager. 2-28 SMS wireless provider configuring. 2-23 W web. 2-1 guest. 2-23 voice wireless provider configuring. 2-15 truststore. 2-20 setting up for JAZN XML-based providers. 4-5 system log files location of. 1-1 securing BPEL processes. A-4 setting up. 1-7 soapServerUrl property setting for certificate-based authentication. 2-24 SOAP binding WS-Security-compliant services. A-4 group. 1-22 V validators creating a custom validator. 2-30 user ruleRepositoryInfo configuration. 2-27 third-party LDAP server configuration. 2-27 shortHistoryActions configuration. 2-1 default. 1-18 U UDDI registry creating a connection to. 2-5 of identity service configuration file. 2-5 user-properties. A-2 users accounts for accessing Oracle BPEL Admin Control. 1-18 sensors logging. 2-26 workflow rules for groups BPMWorkflowAdmin role. 1-13 soapCallbackURL property setting for certificate-based authentication. 1-25 WS-Security-compliant services. 4-5 setting logging values. 1-7 Supervisor. 4-6 examples. 1-26 custom. 4-1. 1-15 validators. 1-5 SSL for certificate-based authentication. 2-29 worklistApplicationURL configuration. 2-28 configuring.J2EE basic authentication. A-2 with Oracle BPEL Process Manager.xml file stores user properties. 2-1 in demo community. 4-6 logger names. 4-6 system users types.xml file configuring.xml file. 2-26 pushbackAssignee configuration.

1-18 wsseUsername WS-Security-compliant services.invoking secured services. 1-18 wsseUsername. 1-18 SOAP binding. 2-6 password. 1-19 wsseHeaders. 1-18 wsseHeaders WS-Security-compliant services. 2-14 Index-7 . 1-18 wssePassword. A-1 reverting to. 1-18 wssePassword WS-Security-compliant services. 1-18 X XML-based JAZN provider configuration.

Index-8 .

Sign up to vote on this title
UsefulNot useful